TrojanDownloader:Win32/Kuluoz.A

TrojanDownloader:Win32/Kuluoz.A is a trojan that attempts to connect your computer to a remote server so it receives and performs instructions, such as to download and execute files. This trojan has been observed to download variants of Trojan:Win32/FakeSysdef, a rogue security scanner.

Installation

This trojan may arrive as a file attached to an email sent by an attacker using a spoofed email address. The file attachment may be named "Label_Parcel_USPS_ID.45-123-14.zip", or similar, with an embedded file containing the same name, such as "Label_Parcel_USPS_ID.45-123-14.exe". If the trojan is run, it creates a copy of itself as the following:

• %APPDATA%\csrss.exe

It modifies your system registry to run the trojan copy when you start Windows, as in the following example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Name"
To data: ""%AppData%\csrss.exe""

Trojan:Win32/Kuluoz.A injects its payload into the process "svchost.exe".

Payload

Communicates with a remote server

Trojan:Win32/Kuluoz.A tries to connect your computer with a remote host named "everkosmo2012.ru". Once connected, the trojan reports its installation using a unique value "machine UID" and may also receive commands from the server that could instruct the trojan to perform the following actions:

• Download and execute files
• Update the trojan
• Uninstall the trojan

This trojan has been observed to download and execute a rogue security scanner, detected as Trojan:Win32/FakeSysdef, from a website named "objectifplateau.com".

Analysis by Shawn Wang