Follow:

 

Win32/Kuluoz


Microsoft security software detects and removes this threat.

This trojan tries to steal your passwords and sensitive information. It can also download other malware onto your PC, including other variants of Win32/Kuluoz and Win32/Sirefef, and variants of rogue security software such as Win32/FakeSysdef and Win32/Winwebsec.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat: 

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Win32/Kuluoz might infect your PC through spam email that has an attachment. The emails we've seen all look different, but they usually have a ZIP archive file attachment, as in the following example messages:

The attachment is actually a copy of this trojan. When the ZIP archive is opened, it copies itself to your PC using various file names like these:

  • csrss.exe
  • urlmon.exe
  • txbalmst.exe

Note that the file names used by the trojan could be similar or exactly the same as already existing Windows system files. The trojan file will run when you start Windows.

Payload

Steals sensitive data files

Win32/Kuluoz tries to steal the following files from your PC:

  • Microsoft Word file (files with extension .doc, .docx)
  • Microsoft Excel files (files with extension .xls, .xlsx)
  • Password files for Mozilla Firefox and Thunderbird (key3.db and signons.sqlite)
  • Password file for Opera web browser (wand.dat)

The trojan packages these files into a single archive file to upload into an online storage website, like sendspace.com. Win32/Kuluoz sends the stolen data to a remote server, like office138489123.ru, where it can be accessed by hackers.

The trojan also steals saved login details from these file transfer applications and web browsers, and uploads the stolen details to a remote server, like infopepsigoood.ru:

  • Mozilla Firefox
  • Google Chrome
  • FileZilla
  • Total Commander
  • Far Manager
  • SmartFTP
  • WinSCP
  • BulletProof FTP client
  • BitKinex

Downloads arbitrary files

Win32/Kuluoz tries to connect to a remote server to report details about your PC, like the PC UID, and to retrieve commands to run. Commands could instruct the trojan to do these actions:

  • Download and run files
  • Update itself
  • Uninstall the malware

The following are examples of remote servers used by this trojan:

  • krasguatanany.ru
  • everkosmo2012.ru
  • aboutnorth2012.ru

Files downloaded by Win32/Kuluoz could be other variants of this or other malware, such as:

Analysis by Shawn Wang


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
This entry was first published on: Jun 05, 2012
This entry was updated on: Sep 15, 2014

This threat is also detected as:
No known aliases