TROJ_KULUOZ.YY
TrojanDownloader:Win32/Kuluoz.D (Microsoft); Trojan-Downloader.Win32.Dofoil.rdq (Kaspersky)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes itself after execution.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %AppDataLocal%\{random filename}.exe
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)
It leaves the following text files:
- {Malware Path and Filename}.txt
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.79.44:8080
- http://{BLOCKED}.{BLOCKED}.55.130:8080
- http://{BLOCKED}.{BLOCKED}.144.158:8080
- http://{BLOCKED}.{BLOCKED}.211.23:8080
- http://{BLOCKED}.{BLOCKED}.191.157:8080
- http://{BLOCKED}.{BLOCKED}.44.180:8080
- http://{BLOCKED}.{BLOCKED}.1.118:8080
It deletes itself after execution.