Microsoft security software detects and removes this threat.

This trojan tries to steal your passwords and sensitive information. It can also download other malware onto your PC, including other variants of Win32/Kuluoz and Win32/Sirefef, and variants of rogue security software such as Win32/FakeSysdef and Win32/Winwebsec.

Find out ways that malware can get on your PC.

What to do now

Use the following free Microsoft software to detect and remove this threat: 

You should also run a full scan. A full scan might find hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


Win32/Kuluoz might infect your PC through spam email that has an attachment.

Here is a preview of the Kuluoz infection chain at the time of analysis:

The emails we've seen all look different, but they usually have a ZIP archive file attachment, as in the following example messages:

The attachment is actually a copy of this trojan. When the ZIP archive is opened, it copies itself to your PC using various file names like these:

  • csrss.exe
  • urlmon.exe
  • txbalmst.exe

Note that the file names used by the trojan could be similar or exactly the same as already existing Windows system files. The trojan file will run when you start Windows.


Steals sensitive data files

Win32/Kuluoz tries to steal the following files from your PC:

  • Microsoft Word file (files with extension .doc, .docx)
  • Microsoft Excel files (files with extension .xls, .xlsx)
  • Password files for Mozilla Firefox and Thunderbird (key3.db and signons.sqlite)
  • Password file for Opera web browser (wand.dat)

The trojan packages these files into a single archive file to upload into an online storage website, like Win32/Kuluoz sends the stolen data to a remote server, like, where it can be accessed by hackers.

The trojan also steals saved login details from these file transfer applications and web browsers, and uploads the stolen details to a remote server, like

  • Mozilla Firefox
  • Google Chrome
  • FileZilla
  • Total Commander
  • Far Manager
  • SmartFTP
  • WinSCP
  • BulletProof FTP client
  • BitKinex

Downloads arbitrary files

Win32/Kuluoz tries to connect to a remote server to report details about your PC, like the PC UID, and to retrieve commands to run. Commands could instruct the trojan to do these actions:

  • Download and run files
  • Update itself
  • Uninstall the malware

The following are examples of remote servers used by this trojan:


Files downloaded by Win32/Kuluoz could be other variants of this or other malware, such as:

Analysis by Shawn Wang


Alerts from your security software might be the only symptom.


Alert level: Severe
This entry was first published on: Jun 05, 2012
This entry was updated on: Sep 21, 2015

This threat is also detected as:
No known aliases