Win32/Arurizer [Threat Name] go to Threat

Win32/Arurizer.A [Threat Variant Name]

Category trojan
Size 28672 B
Aliases Trojan.Win32.Arugizer.a (Kaspersky)
  Trojan.Arugizer (Symantec)
  Trojan.Arucer (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is included in the installation package of the Energizer DUO USB Battery Charger application.


When executed, the trojan copies itself into the following location:

  • %system%\­Arucer.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Arucer" = "rundll32.exe  %system%\­Arucer.dll, Arucer"
Other information

The trojan opens TCP port 7777 .

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • run executable files
  • send the list of disk devices and their type to a remote computer
  • various filesystem operations

The trojan launches the following processes:

  • UsbSetup.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "svchost" =  "%path%"

A string with variable content is used instead of %path% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.