TrojanDownloader.Kuluoz.aav arrives as an email pretending to be from UPS. The email states that UPS failed to deliver a package on a specified date, and invites the user to click on a button to print out the shipping label so that the package can be picked up from a UPS office.
See sample email below:
If the unknowing user clicks on the button, they will get directed to the website: hxxp://suryoxxxeformer.org/EFFXXXQZM.html (for safety reasons portions of the URL have been removed with x’s)
Once a user is redirected to the website, "TrojanDownloader.Kuluoz.aav" is installed and downloads a file under a random file name "[random name.exe]" at the %userprofile%\Local Settings\Application Data\ location. This downloaded file installs the Scareware “System Progressive Protection” on to the system.
Like other forms of Scareware it displays false reports of threats on the computer. The user is then prompted to pay for a full license of the application in order to remove the fake threats, as shown below:
Thirtyseven4 Antivirus Users are fully protected against this latest threat. Non-customers can download and install our Rogueware Removal Tool that removes this Scareware successfully from a system.
“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4
