Home / malwarePDF  

TrojanDownloader:Win32/Kuluoz.B


First posted on 20 June 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Kuluoz.B is also known as VirTool:Win32/Injector.gen!BB (other), Trojan-Dropper.Win32.Dapato.bipz (Kaspersky), Mal/EncPk-AFA (Sophos), Mal/Kuluoz-C (Sophos).

Explanation :



TrojanDownloader:Win32/Kuluoz.B is a trojan that attempts to connect your computer to a remote server so it receives and performs instructions, such as to download and execute files. This trojan has been observed to download variants of Rogue:Win32/Winwebsec, a rogue security scanner.



Installation

This trojan may arrive as a file attached to an email sent by an attacker using a spoofed email address. We observed this trojan to be delivered as a .ZIP or .RAR archive having names similar to the following:

  • Ticket_Delta_Air_Lines_US9760.zip
  • Ticket_AA_Air_ID186-178US.zip
  • Postetikett_Deutsche_Post_AG_DE482456.zip
  • Print_Label_FedEx_AN173738US.zip
  • FedEx_Label_ID_Order_83-27-4534US.zip
  • Label_US.6366NT.zip
  • IRSPROFILE.zip
  • Label_Parcel_IN34-789-54UK.rar


The archive contains an executable file having the same file name. If the trojan is run, it injects code into the running process "svchost.exe" which results in the malware creating a copy of the trojan as a randomly named file, as in the following example:

  • %LOCALAPPDATA%\pfranvvn.exe


Note that %LOCALAPPDATA% references a directory such as the following:

  • C:\Documents and Settings\Administrator\Local Settings\Application Data\ (Windows Vista)
  • C:\Users\<logon name>\AppData\Local\ (Windows 7)


The malware makes changes to your computer that will run the trojan when you start Windows.



Payload

Downloads other malware

TrojanDownloader:Win32/Kuluoz.B attempts to connect to multiple websites using a crafted URL that is similar to the following format:

  • <site>/index.php?r=gate&fq=acc0e9de&group=sl15&debug=0


The parameters passed by the trojan to the website varies among variations of the trojan. TrojanDownloader:Win32/Kuluoz.B requests sites that also include Bing.com, Twitter.com, Google.com and Fb.com to mix with malicious sites to hide its traffic requests.

When the trojan successfully connects to a malicious site, it receives data that instructs the trojan to download a file named "3.exe", detected as Rogue:Win32/Winwebsec, from the website "scbirs.ch".



Analysis by Jeong Mun

Last update 20 June 2012

 

TOP