Win32/Arurizer [Threat Name] go to Threat

Win32/Arurizer.A [Threat Variant Name]

Category trojan
Size 28672 B
Detection created Mar 08, 2010
Detection database version 4925
Aliases Trojan.Win32.Arugizer.a (Kaspersky)
  Trojan.Arugizer (Symantec)
  Trojan.Arucer (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is included in the installation package of the Energizer DUO USB Battery Charger application.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­Arucer.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Arucer" = "rundll32.exe  %system%\­Arucer.dll, Arucer"
Other information

The trojan opens TCP port 7777 .


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • run executable files
  • send the list of disk devices and their type to a remote computer
  • various filesystem operations

The trojan launches the following processes:

  • UsbSetup.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "svchost" =  "%path%"

A string with variable content is used instead of %path% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.