First posted on 23 May 2012.
TrojanDownloader:Win32/Kuluoz.A is also known as W32/Trojan3.DLI (Command), TR/Drop.Dapato.axrl (Avira), Gen:Variant.Barys.961 (BitDefender), Trojan.Fakealert.30029 (Dr.Web), Win32/TrojanDownloader.Zortob.A (ESET), Trojan-Dropper.Win32.Dapato.axrl (Kaspersky), Downloader-CTH (McAfee), VirTool:Win32/Injector.gen!BB (other), Troj/Bredo-VW (Sophos), Trojan.Smoaler (Symantec), TROJ_KRYPTIK.LJC (Trend Micro).
TrojanDownloader:Win32/Kuluoz.A is a trojan that attempts to connect your computer to a remote server so it receives and performs instructions, such as to download and execute files. This trojan has been observed to download variants of Trojan:Win32/FakeSysdef, a rogue security scanner.
This trojan may arrive as a file attached to an email sent by an attacker using a spoofed email address. The file attachment may be named "Label_Parcel_USPS_ID.45-123-14.zip", or similar, with an embedded file containing the same name, such as "Label_Parcel_USPS_ID.45-123-14.exe". If the trojan is run, it creates a copy of itself as the following:
It modifies your system registry to run the trojan copy when you start Windows, as in the following example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Name"
To data: ""%AppData%\csrss.exe""
Trojan:Win32/Kuluoz.A injects its payload into the process "svchost.exe".
Communicates with a remote server
Trojan:Win32/Kuluoz.A tries to connect your computer with a remote host named "everkosmo2012.ru". Once connected, the trojan reports its installation using a unique value "machine UID" and may also receive commands from the server that could instruct the trojan to perform the following actions:
- Download and execute files
- Update the trojan
- Uninstall the trojan
This trojan has been observed to download and execute a rogue security scanner, detected as Trojan:Win32/FakeSysdef, from a website named "objectifplateau.com".
Analysis by Shawn Wang
Last update 23 May 2012