In the June '12 installment of the Microsoft Malicious Software Removal Tool (MSRT), we take on two threat families - Win32/Kuluoz and Win32/Cleaman. This post includes information about Kuluoz as we'll discuss Cleaman later this month.

Win32/Kuluoz is a multi-component trojan family that that attempts to steal passwords that are stored in certain applications, and sensitive files from your computer. The trojan implements a downloader component that we observed being distributed via spam email as an attachment.

As is common with trojans, Kuluoz is known to use a file icon that comes from a popular application. In this case, it is a PDF document, and is installed into the Application Data subfolder, such as this:



Image 1 - View of Win32/Kuluoz stored on an infected computer

As for technique, Kuluoz doesn't innovate – it injects its payload into legitimate Windows executables like "svchost.exe". It is able to load modules that extend its abilities to perform additional payloads, including FTP password-theft and data file stealing, similar to other families of trojans, such as Win32/Dofoil, which we included in MSRT previously.

One thing we should mention is that the downloader component of Kuluoz also tries to send requests to some legitimate websites with the similar patterns used in C&C communication:

Image 2 - Legitimate domains mixed with malware domains as requested by Kuluoz

As visible in the above image, some of the domains requested by the malware include known 'good' domains, such as bing.com, twitter.com and google.com which results in a page not found error. It appears that this technique is performed by the malware to possibly confuse the human eye when reviewing access logs.

For additional details, please look into our Win32/Kuluoz family description.

-- MMPC