Home / malware

PDF

Backdoor:Win32/Arurizer.A

First posted on 12 March 2010.
Source: SecurityHome

Aliases :

Backdoor:Win32/Arurizer.A is also known as Win-Trojan/Arurizer.28672 (AhnLab), BDS/Arurizer.A (Avira), Win32/Arugizer.A (CA), Trojan.Arucer (Dr.Web), Win32/Arurizer.A (ESET), Trojan.Win32.Arugizer.a (Kaspersky), Troj/Bckdr-RBF (Sophos), Trojan.Arugizer (Symantec).

Explanation :

Backdoor:Win32/Arurizer.A is a trojan that allows limited remote access and control of an affected computer. A remote attacker could perform actions that include uploading, downloading, deletion or execution of arbitrary files.
Top

Backdoor:Win32/Arurizer.A is a trojan that allows limited remote access and control of an affected computer. A remote attacker could perform actions that include uploading, downloading, deletion or execution of arbitrary files.

Installation
In the wild, we have observed Backdoor:Win32/Arurizer.A being distributed as a file named "Arucer.dll". It may be installed by third party software.

Payload
Allows limited remote access and control When executed, Backdoor:Win32/Arurizer.A creates a backdoor by awaiting connections using TCP port 7777. Using this backdoor, a remote attacker can instruct an affected computer to perform the following actions:

Send hard disk partition and directory information

Upload, download and delete files

Execute a file

Modify registry data:
Adds Value: "svchost"
Data: "<specified by the attacker>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost

Additional Information Backdoor:Win32/Arurizer.A checks for the USB plugin and connection of the product "Energizer UsbCharger". If found, it will execute the command specified in the following registry: Value: "<parameters>" Subkey: HKLM\SOFTWARE\USBCharger A typical value created by the setup package is the following: %ProgramFiles%\Energizer UsbCharger\Energizer UsbCharger.exe" -liuhong

Analysis by Chun Feng

Last update 12 March 2010

 

TOP