TROJ_KULUOZ
Kuluoz, Fakeavlock, Zortob
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
KULUOZ is a part of a well-known botnet and was first seen in the wild around April to June of 2012. Most of KULUOZ malware are disguised as.TXT or .DOC files to make them appear legitimate.
Upon execution, it opens the dropped non-malicious .TXT file in order to hide its malicious routines from the user.
This malware also communicates to its command-and-control (C&C) server to send and receive information and commands.
This Trojan executes commands from a remote malicious user, effectively compromising the affected system.
It deletes itself after execution.
TECHNICAL DETAILS
Installation
This Trojan drops the following files:
- {Malware Path and Filename}.txt
It drops the following copies of itself into the affected system:
- %Application Data%\{random}.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It adds the following processes:
- Svchost.exe
It injects codes into the following process(es):
- Created svchost.exe
Other System Modifications
This Trojan adds the following registry keys:
HKEY_CURRENT_USER\SOFTWARE\{random}
It adds the following registry entries:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random} = "%Application Data%\{random}.exe"
HKEY_CURRENT_USER\SOFTWARE\{random}
{random} = "{hex values}"
Backdoor Routine
This Trojan executes the following commands from a remote malicious user:
- idl- Sleep / Idle
- run- Download and execute arbitrary file
- rem- Uninstall itself
- rdl- Update copy of injected code in svchost and add encrypted code to registry
- upd- Update copy of main malware
- red- Check latest malware version
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.66.217:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.16.68:60000/{generated value}
- http://{BLOCKED}.{BLOCKED}.203.58:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.103.54:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.156.180:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.132.24:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.224.202:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.112.7:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.63.194:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.178.174:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.131.132:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.189.234:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.241.208:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.60.166:60000/{generated value}
- http://{BLOCKED}.{BLOCKED}.145.174:6667/{generated value}
- http://{BLOCKED}.{BLOCKED}.10.68:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.220.148:60000/{generated value}
- http://{BLOCKED}.{BLOCKED}.81.166:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.115.171:60000/{generated value}
- http://{BLOCKED}.{BLOCKED}.49.145:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.248.152:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.204.228:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.159.166:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.22.146:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.22.38:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.50.161:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.89.231:8080/{generated value}
- http://{BLOCKED}.{BLOCKED}.20.202:8080/{generated value}
It deletes itself after execution.