This trojan might arrive as a file attached to an email sent by a hacker using a spoofed email address. We've seen this trojan being delivered as a .ZIP or .RAR archive with names similar to the following:
The archive contains an executable file having the same file name. If the trojan is run, it injects code into the running process "svchost.exe" which results in the malware creating a copy of the trojan as a randomly named file, as in the following example:
The malware makes changes to the registry so that the malware runs each time you start your PC.
Downloads other malware
attempts to connect to multiple websites using a crafted URL that is similar to the following format:
The parameters passed by the trojan to the website vary among variants of the trojan. TrojanDownloader:Win32/Kuluoz.B requests sites that also include Bing.com, Twitter.com, Google.com and Fb.com to mix with malicious sites to hide its traffic requests.
When the trojan successfully connects to a malicious site, it receives data that instructs the trojan to download a file named "3.exe", detected as Rogue:Win32/Winwebsec, from the website "scbirs.ch".
Analysis by Jeong Mun
Alerts from your security software may be the only symptom.