First posted on 20 June 2012.
TrojanDownloader:Win32/Kuluoz.B is also known as VirTool:Win32/Injector.gen!BB (other), Trojan-Dropper.Win32.Dapato.bipz (Kaspersky), Mal/EncPk-AFA (Sophos), Mal/Kuluoz-C (Sophos).
TrojanDownloader:Win32/Kuluoz.B is a trojan that attempts to connect your computer to a remote server so it receives and performs instructions, such as to download and execute files. This trojan has been observed to download variants of Rogue:Win32/Winwebsec, a rogue security scanner.
This trojan may arrive as a file attached to an email sent by an attacker using a spoofed email address. We observed this trojan to be delivered as a .ZIP or .RAR archive having names similar to the following:
The archive contains an executable file having the same file name. If the trojan is run, it injects code into the running process "svchost.exe" which results in the malware creating a copy of the trojan as a randomly named file, as in the following example:
Note that %LOCALAPPDATA% references a directory such as the following:
- C:\Documents and Settings\Administrator\Local Settings\Application Data\ (Windows Vista)
- C:\Users\<logon name>\AppData\Local\ (Windows 7)
The malware makes changes to your computer that will run the trojan when you start Windows.
Downloads other malware
TrojanDownloader:Win32/Kuluoz.B attempts to connect to multiple websites using a crafted URL that is similar to the following format:
The parameters passed by the trojan to the website varies among variations of the trojan. TrojanDownloader:Win32/Kuluoz.B requests sites that also include Bing.com, Twitter.com, Google.com and Fb.com to mix with malicious sites to hide its traffic requests.
When the trojan successfully connects to a malicious site, it receives data that instructs the trojan to download a file named "3.exe", detected as Rogue:Win32/Winwebsec, from the website "scbirs.ch".
Analysis by Jeong Mun
Last update 20 June 2012