Kuluoz

Kuluoz is a family of Trojans that are used to install other PC threats and steal personal information (such as passwords). The majority of Kuluoz variants are designed to install some form of fake security program (such as members of WinWebSec or FakeSysdef) that display fraudulent security pop-ups and system scans while simultaneously hindering the performance of your PC. Because Kuluoz is often distributed by spam e-mail that alleges to be from the UPS or a similar entity of good repute, SpywareRemove.com malware researchers particularly caution you to avoid file attachments from strange e-mails, particularly if they're in .zip format (one of Kuluoz's preferred formats). If you suspect that Kuluoz or its payload have infiltrated your computer, an exhaustive system scan by a reputable anti-malware product should be able to delete Kuluoz and anything that Kuluoz might have installed.

Kuluoz: a New Delivery Man for This Year's Scamware

Variants of Kuluoz have been reported since mid-2012, with different varieties of Kuluoz being dedicated to installing different types of PC threats. Many variants, such as TrojanDownloader:Win32/Kuluoz.A and TrojanDownloader:Win32/Kuluoz.B, will automatically initiate contact with a variety of both malicious and mundane sites (such as Google and Twitter), with the latter being included to conceal their harmful traffic requests. After contacting their C&C servers, Kuluoz Trojans will receive instructions that tell them which files to download and install – including scamware like Win Disk, Win HDD, S.M.A.R.T. Check, Security Shield 2012 and Winweb Security. These rogue defraggers and security programs offer up fake system information about various forms of damage or PC threats, but SpywareRemove.com malware researchers emphasize the fact that these warnings are wholly fake.

Some versions of Kuluoz have also been found to utilize spyware-based attacks. SpywareRemove.com malware analysts have indicated that current versions of Kuluoz can use two distinct methods for stealing private information:

• Monitoring login input for various browsers and file-management utilities, with vulnerable programs including Firefox, BitKinex, Chrome, Total Commander, Far Manager, SmartFTP, FileZilla, Bulletproof FTP and WinSCP.
• Harvesting files of the following types: Microsoft Excel, Microsoft Word, Firefox password files, Opera password files and Thunderbird password files.

Dodging Kuluoz's E-mailed Bullet

Kuluoz is typically propagated by fake e-mail messages with covers that include UPS delivery notices and airline ticket confirmations. While these e-mails will try to convince you to view an included file attachment to confirm the information mentioned in their main bodies, SpywareRemove.com malware researchers note that reputable companies will never ask you to open e-mail file attachments. Kuluoz can be specifically recognized by some of its file names: Postetikett_Deutsche_Post_AG_DE482456.zip, FedEx_Label_ID_Order_83-27-4534US.zip, IRSPROFILE.zip, Print_Label_FedEx_AN173738US.zip, Label_Parcel_IN34-789-54UK.rarTicket_Delta_Air_Lines_US9760.zip and Label_US.6366NT.zip.

After being extracted from its zip file, Kuluoz will use misleading file names (such as csrss.exe) to make itself look like a normal part of Windows. SpywareRemove.com malware researchers suggest using anti-malware software to detect and remove Kuluoz and its payload, since this method is the easiest way to delete Kuluoz without risking any damage to your OS.

Technical Details