Home / malwarePDF  

TrojanDownloader:Win32/Kuluoz


First posted on 21 November 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Kuluoz.

Explanation :

Threat behavior

Installation

This threat might arrive on your PC attached to a spam email as a .ZIP or .RAR archive. We have seen the attachment use the following file names:

  • Copy_of_Document_ID1029.zip
  • Copy_of_Document_ID1428.zip
  • Der_Gerichtsbescheid_N8991.zip
  • ET-27812432.zip
  • ET-60312972.zip
  • Note_4634_copy.zip
  • Note_9524_copy.zip
  • Pretrial-Notice_09-01-2014_N92266.zip


When the attachment is opened it installs a file that imitates a Microsoft Word or WAV file icon to %LOCALAPPDATA%. Examples of the icos used are shown below:



If you try to open this file the malware displays an error message that says the file couldn't be opened. We have seen it use the following error message:



When this message is displayed the malware is also installed using a random eight-character file name, for example:

  • %LOCALAPPDATA% \ienuuuur.exe
  • %LOCALAPPDATA% \knhpjvbj.exe
  • %LOCALAPPDATA% \vrebasde.exe


It also changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ".exe", for example "ienuuuur.exe"
With data: "%LOCALAPPDATA%\<8 random characters.exe>"

Payload

Downloads other malware

This threat can download other malware onto your PC. We have seen it download and run these threats:

  • PWS:Win32/Kuluoz.gen!A
  • Win32/Crowti
  • Win32/FakeRean
  • Win32/Zbot


Connects to a remote server

It can connect to a remote server to receive instructions from a malicious hacker, including:

  • Download and run files
  • Update
  • Uninstall


We have seen it connect to the following servers:

  • 107.170.221.187
  • 110.170.30.195
  • 158.255.238.9
  • 162.13.189.52
  • 173.199.182.152
  • 193.46.84.84
  • 199.59.57.142
  • 212.129.21.210
  • 23.227.182.207




Analysis by Jayronn Bucu

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: ""
    With data: "%LOCALAPPDATA%\<8 random characters.exe>"

Last update 21 November 2014

 

TOP

Malware :