TrojanDownloader:Win32/Kuluoz.B

(?)

Encyclopedia entry
Updated: Jun 19, 2012 | Published: Jun 01, 2012

Aliases

VirTool:Win32/Injector.gen!BB

other

Trojan-Dropper.Win32.Dapato.bipz (Kaspersky)
Mal/EncPk-AFA (Sophos)
Mal/Kuluoz-C (Sophos)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.153.176.0
Released: Jun 19, 2013

Detection initially created:
Definition: 1.127.1171.0
Released: Jun 01, 2012

Summary

TrojanDownloader:Win32/Kuluoz.B is a trojan that attempts to connect your computer to a remote server so it receives and performs instructions, such as to download and execute files. This trojan has been observed to download variants of Rogue:Win32/Winwebsec, a rogue security scanner.

Top

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Top

Technical Information (Analysis)

Installation

This trojan may arrive as a file attached to an email sent by an attacker using a spoofed email address. We observed this trojan to be delivered as a .ZIP or .RAR archive having names similar to the following:

Ticket_Delta_Air_Lines_US9760.zip
Ticket_AA_Air_ID186-178US.zip
Postetikett_Deutsche_Post_AG_DE482456.zip
Print_Label_FedEx_AN173738US.zip
FedEx_Label_ID_Order_83-27-4534US.zip
Label_US.6366NT.zip
IRSPROFILE.zip
Label_Parcel_IN34-789-54UK.rar

The archive contains an executable file having the same file name. If the trojan is run, it injects code into the running process "svchost.exe" which results in the malware creating a copy of the trojan as a randomly named file, as in the following example:

%LOCALAPPDATA%\pfranvvn.exe

Note that %LOCALAPPDATA% references a directory such as the following:

C:\Documents and Settings\Administrator\Local Settings\Application Data\ (Windows Vista)
C:\Users\<logon name>\AppData\Local\ (Windows 7)

The malware makes changes to your computer that will run the trojan when you start Windows.

Payload

Downloads other malware

TrojanDownloader:Win32/Kuluoz.B attempts to connect to multiple websites using a crafted URL that is similar to the following format:

<site>/index.php?r=gate&fq=acc0e9de&group=sl15&debug=0

The parameters passed by the trojan to the website varies among variations of the trojan. TrojanDownloader:Win32/Kuluoz.B requests sites that also include Bing.com, Twitter.com, Google.com and Fb.com to mix with malicious sites to hide its traffic requests.

When the trojan successfully connects to a malicious site, it receives data that instructs the trojan to download a file named "3.exe", detected as Rogue:Win32/Winwebsec, from the website "scbirs.ch".

Analysis by Jeong Mun

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.