Threat behavior
Backdoor:Win32/Arurizer.A is a trojan that allows limited remote access and control of an affected computer. A remote attacker could perform actions that include uploading, downloading, deletion or execution of arbitrary files.
Installation
In the wild, we have observed Backdoor:Win32/Arurizer.A being distributed as a file named "Arucer.dll". It may be installed by third party software.
Payload
Allows limited remote access and control
When executed, Backdoor:Win32/Arurizer.A creates a backdoor by awaiting connections using TCP port 7777. Using this backdoor, a remote attacker can instruct an affected computer to perform the following actions:
-
Send hard disk partition and directory information
-
Upload, download and delete files
-
Execute a file
-
Modify registry data:
Adds Value: "svchost"
Data: "<specified by the attacker>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost
Additional Information
Backdoor:Win32/Arurizer.A checks for the USB plugin and connection of the product "Energizer UsbCharger". If found, it will execute the command specified in the following registry:
Value: "<parameters>"
Subkey: HKLM\SOFTWARE\USBCharger
A typical value created by the setup package is the following:
%ProgramFiles%\Energizer UsbCharger\Energizer UsbCharger.exe" -liuhong
Analysis by Chun Feng
Prevention