ThreatExpert Report: Trojan.Win32.Arugizer.a, Trojan.Win32.Arugizer, Backdoor.Win32.Generizer.a..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 16 March 2010, 12:32:16
Processing time: 8 min 3 sec
Submitted sample:

File MD5: 0x3F4F10B927677E45A495D0CDD4390AAF
File SHA-1: 0xC94423FA25CB515301422188B0B35FF16B9BE749
Filesize: 3,086,648 bytes
Alias:

Trojan.Win32.Arugizer.a [Kaspersky Lab]
Trojan.Win32.Arugizer [Ikarus]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonStartMenu%\Energizer UsbCharger.lnk	750 bytes	MD5: 0x4420E5F44A6369025F44DC3EB3A2B98E SHA-1: 0xBB700A331D1A376581F93CF41AC65D89DC09AE77	(not available)
2	%CommonPrograms%\Energizer UsbCharger\Energizer UsbCharger Uninstall.lnk	702 bytes	MD5: 0xCA8DBD4FFC394D25B07BA320AE923837 SHA-1: 0x98A6D6FA202A25801E1C03780A3C608536DFDB1B	(not available)
3	%CommonPrograms%\Energizer UsbCharger\Energizer UsbCharger.lnk	762 bytes	MD5: 0x43BC92A4C37E578BA38F732051B33DEC SHA-1: 0x996CECB5CC2A9F55F87A4FC7D7CC48F81C426932	(not available)
4	%ProgramFiles%\Energizer UsbCharger\amd64\UCharger.sys	10,880 bytes	MD5: 0xEEE9E6F8E952CCAFA54E84E3404CC00D SHA-1: 0x814F265B57F243F0EE9B179F84ADC1B01529C5F0	(not available)
5	%ProgramFiles%\Energizer UsbCharger\Chinese.lang	1,784 bytes	MD5: 0x748E058101C015F07BE9606ECF1F173F SHA-1: 0x6B7A70BA1051DE84D1344AFC373AA631F99121EB	(not available)
6	%ProgramFiles%\Energizer UsbCharger\Chinese_tw.lang	1,774 bytes	MD5: 0x63561BFC023947F30FA9F91CF5D906E0 SHA-1: 0x1F7FD5A3EF5DA8166CD0CE7DE72D605683881F98	(not available)
7	%ProgramFiles%\Energizer UsbCharger\Czech.lang	2,190 bytes	MD5: 0x95B5BEBAE31A00CF3F757FE4BC50FB2F SHA-1: 0x8A74D5874040B9F613B0324CFBC265E707D7BFDC	(not available)
8	%ProgramFiles%\Energizer UsbCharger\Danish.lang	2,196 bytes	MD5: 0x28C7A6A33DE5499458A360CB47935637 SHA-1: 0xB6C777C27FD9A8B38B2D2EBB899C9EC193C31C9C	(not available)
9	%ProgramFiles%\Energizer UsbCharger\Dutch.lang	2,222 bytes	MD5: 0x5AF1323297DF6846553A6D002982678A SHA-1: 0x9A27F6054AD0079F62779623AE2DA7F93AE304C7	(not available)
10	%ProgramFiles%\Energizer UsbCharger\Energizer UsbCharger.exe	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
11	%ProgramFiles%\Energizer UsbCharger\Energizer UsbCharger.ini	733 bytes	MD5: 0xD10B889D3A933DDEF96E95A94BEC1AA1 SHA-1: 0xA37F0EE9C46ABD6648EC805A8C6D786D5F9B6EF9	(not available)
12	%ProgramFiles%\Energizer UsbCharger\English.lang	2,122 bytes	MD5: 0xBA07667D1268FA36251B16C049C8E3CD SHA-1: 0x3074CCBBAE113DC015094331D7406CC8BEB86357	(not available)
13	%ProgramFiles%\Energizer UsbCharger\English_uk.lang	2,102 bytes	MD5: 0x9546D3C06A3468A10AF5C2034DB3D4E8 SHA-1: 0x01BB46922877D3A7E311BBBC5331157F269D670B	(not available)
14	%ProgramFiles%\Energizer UsbCharger\Finnish.lang	2,188 bytes	MD5: 0x2243D7AE2E656AD29C31499D645B9BA8 SHA-1: 0x7DDF7F99395BA1D0A8072B9BC3CDBB7A4896AD30	(not available)
15	%ProgramFiles%\Energizer UsbCharger\French.lang	2,292 bytes	MD5: 0xAE3DD4583DCFC61C716BB61BCA8731D4 SHA-1: 0x5D422C5A1911D907068F76E746274EE6E75C164F	(not available)
16	%ProgramFiles%\Energizer UsbCharger\French_jld.lang	2,302 bytes	MD5: 0x60AFB303BD6D3340653165E015055D55 SHA-1: 0xE09401B5CEA8027F76ADB31EC8A62EEC8A247B27	(not available)
17	%ProgramFiles%\Energizer UsbCharger\German.lang	2,238 bytes	MD5: 0xB67130962A553F2F571733E9E4B1F314 SHA-1: 0x621D851F77C1731D20EA46D6EF981652E2D4A679	(not available)
18	%ProgramFiles%\Energizer UsbCharger\Greek.lang	2,282 bytes	MD5: 0x9B3C870FD339498F5665161F15610284 SHA-1: 0x90558BCF43ADFCB94A7DB1E33641DF3A0C49482A	(not available)
19	%ProgramFiles%\Energizer UsbCharger\Hungarian.lang	2,342 bytes	MD5: 0x56C9DA15CF4A8EAB891F78A189D39876 SHA-1: 0x14AF40393FE44108FFFD97DE8563EBB5E01F0E58	(not available)
20	%ProgramFiles%\Energizer UsbCharger\ia64\UCharger.sys	25,600 bytes	MD5: 0xC831D46E3D338F27E9717466C1CAEE94 SHA-1: 0xFB080330A6F8419D0E3E94050A342F0316882FEA	(not available)
21	%ProgramFiles%\Energizer UsbCharger\Italian.lang	2,334 bytes	MD5: 0x9C20632CC54AD3D9A1345D20059A2716 SHA-1: 0xC8DBE10067600AE4C39D8C9877A9A54F1491C029	(not available)
22	%ProgramFiles%\Energizer UsbCharger\Korean.lang	1,768 bytes	MD5: 0x537E6FAC91BDCC82FBD6DC17EF896EEF SHA-1: 0x319EAF17A59DC1528A6EBB187FF8CA3A6B362ECA	(not available)
23	%ProgramFiles%\Energizer UsbCharger\Polish.lang	2,208 bytes	MD5: 0x835860093D22E36075319A89481F526A SHA-1: 0x3936B2F258660174B09C62135D52E3034AC11BCA	(not available)
24	%ProgramFiles%\Energizer UsbCharger\Portuguese.lang	2,266 bytes	MD5: 0x5F6AE7F61573EB2807FD1101EE606562 SHA-1: 0x458D7C8A7D7FE6CBA59E3F6F6522E697156DCF62	(not available)
25	%ProgramFiles%\Energizer UsbCharger\Portuguese_bx.lang	2,270 bytes	MD5: 0x083C7BE5CFE32828A3FDAE26AA528E6D SHA-1: 0xC763B13DD49D71275EFC6A07106DF7DF26EE92F3	(not available)
26	%ProgramFiles%\Energizer UsbCharger\Slovak.lang	2,210 bytes	MD5: 0x4DA95D7DAC6E479F1DFA0D80CA8CAB90 SHA-1: 0xCCD7B38F45FFE0490F124F8BEF7B4B5447B04F68	(not available)
27	%ProgramFiles%\Energizer UsbCharger\Spanish.lang	2,272 bytes	MD5: 0x44BBC328FC62864701BFF12F53DEAFE6 SHA-1: 0x14C8653F9E48FD5147F345705288A3D7E4126772	(not available)
28	%ProgramFiles%\Energizer UsbCharger\Spanish_mxg.lang	2,272 bytes	MD5: 0xDA0EDB172286A0DC7D232AF8BB53AC18 SHA-1: 0xBA47488D30174069D30A23E04FAA4DFEEFDAF7FE	(not available)
29	%ProgramFiles%\Energizer UsbCharger\Swedish.lang	2,144 bytes	MD5: 0x865401E65BF762F532FDA989CC113AE3 SHA-1: 0x490AF75A4364108312FA593DA9C6A028897B8318	(not available)
30	%ProgramFiles%\Energizer UsbCharger\TipForm.exe	460,800 bytes	MD5: 0x51D3CD2A104AC8A1B3DAFF9AF96054B5 SHA-1: 0xE40AEF4143180555E12D49009C8CB2F4EA5F48F5	(not available)
31	%ProgramFiles%\Energizer UsbCharger\ucdSetup.exe	29,913 bytes	MD5: 0x7380E2CE3EF046C48009E307F92ACBD3 SHA-1: 0xA8A24421CF6B674C69D9BA42B3F4999D8E01CF10	(not available)
32	%ProgramFiles%\Energizer UsbCharger\UCharger.cat	7,286 bytes	MD5: 0x2696B9400CCFE40364DEBD4A47504AA3 SHA-1: 0xE8EB74D02ADDF7C4D753ED3A12A36C5DEF23B8D9	(not available)
33	%ProgramFiles%\Energizer UsbCharger\UCharger.inf	2,477 bytes	MD5: 0x6DC1E6BDD51C4ED9D3EE4074DA842F9B SHA-1: 0x51746ABCDB1AA902D205992627A791E7BF717D58	(not available)
34	%ProgramFiles%\Energizer UsbCharger\unins000.dat	4,096 bytes	MD5: 0x31F99BA3FB5B5931557843397B650C3D SHA-1: 0xDDA249CA12756147FFF809056993B72AC9B82B94	(not available)
35	%ProgramFiles%\Energizer UsbCharger\unins000.exe	678,682 bytes	MD5: 0x10F6F4C207BAB12D8C6DAA1C18BF5491 SHA-1: 0xA92A79EF247E99616A3EF6F18526FEF9FC416BB1	(not available)
36	%ProgramFiles%\Energizer UsbCharger\UsbCharger.dll	20,480 bytes	MD5: 0x962D087C92DCA5A189D8379E59E7E790 SHA-1: 0x7B4CD7EAAEC62F5A4B11BCF0A8F29432B32B63E8	Backdoor.Win32.Generizer.a [Kaspersky Lab] Backdoor.Win32.Generizer [Ikarus]
37	%ProgramFiles%\Energizer UsbCharger\UsbSetup.exe	32,768 bytes	MD5: 0x5A859682F7F0F645EEC302CF79FE2D84 SHA-1: 0x406056E4E2291494348620C797C8894F508E8E94	(not available)
38	%ProgramFiles%\Energizer UsbCharger\x86\UCharger.sys	13,765 bytes	MD5: 0xE0529F7B6E1ACE01EBB58E5642582C92 SHA-1: 0x35F13C5DCF228CD42EC8314467216E0801C4ED47	(not available)
39	%FontsDir%\HandelGotDOT-Bol.otf	29,512 bytes	MD5: 0xE0704128A5948630E2F7CEEC8A3EE894 SHA-1: 0x77D5E958EF85BCA95F9E9159477F329F7FDEA9E2	(not available)
40	%Windir%\inf\oem9.inf	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
41	%System%\Arucer.dll	28,672 bytes	MD5: 0x1070BE3E60A1868D2CD62FC90D76C861 SHA-1: 0xD102B1D2538D8771BE85403272E5A22A4B3F81AD	Trojan.Arugizer [PCTools] Trojan.Arugizer [Symantec] Trojan.Win32.Arugizer.a [Kaspersky Lab] Generic BackDoor.u [McAfee] Troj/Bckdr-RBF [Sophos] Backdoor:Win32/Arurizer.A [Microsoft] Trojan.Win32.Arugizer [Ikarus] Win-Trojan/Arurizer.28672 [AhnLab]
42	[file and pathname of the sample #1]	3,086,648 bytes	MD5: 0x3F4F10B927677E45A495D0CDD4390AAF SHA-1: 0xC94423FA25CB515301422188B0B35FF16B9BE749	Backdoor.Win32.Generizer.a, Trojan.Win32.Arugizer.a [Kaspersky Lab] Trojan.Win32.Arugizer [Ikarus]
43	%System%\wbem\Performance\WmiApRpl_new.h	357 bytes	MD5: 0x231323658D79D9BDF946E1CFBE01E500 SHA-1: 0xD3D145D037FCA0C669C4B3E2990906B922B22ADE	(not available)

Notes:

%CommonStartMenu% is a variable that refers to the file system directory that contains the programs and folders that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu (Windows NT/2000/XP).
%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:\Windows\Fonts.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%CommonPrograms%\Energizer UsbCharger
%ProgramFiles%\Energizer UsbCharger
%ProgramFiles%\Energizer UsbCharger\amd64
%ProgramFiles%\Energizer UsbCharger\ia64
%ProgramFiles%\Energizer UsbCharger\x86

Memory Modifications

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
Arucer.dll	%System%\Arucer.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x10000000 - 0x10007000

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Energizer UsbCharger_is1
HKEY_LOCAL_MACHINE\SOFTWARE\USBCharger
HKEY_LOCAL_MACHINE\SOFTWARE\USBCharger\Parameters

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Arucer = "rundll32 %System%\Arucer.dll,Arucer"

so that Arucer.dll runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Energizer UsbCharger_is1]

Inno Setup: Setup Version = "5.1.8"
Inno Setup: App Path = "%ProgramFiles%\Energizer UsbCharger"
InstallLocation = "%ProgramFiles%\Energizer UsbCharger\"
Inno Setup: Icon Group = "Energizer UsbCharger"
Inno Setup: User = "%UserName%"
DisplayName = "Energizer UsbCharger v1.0.0"
DisplayIcon = "%ProgramFiles%\Energizer UsbCharger\Energizer UsbCharger.exe"
UninstallString = ""%ProgramFiles%\Energizer UsbCharger\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\Energizer UsbCharger\unins000.exe" /SILENT"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20100316"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]

HandelGotDOTBol (TrueType) = "HandelGotDOT-Bol.otf"

[HKEY_LOCAL_MACHINE\SOFTWARE\USBCharger\Parameters]

Name = ""%ProgramFiles%\Energizer UsbCharger\Energizer UsbCharger.exe" -liuhong"
Handle = 4D 11 86 7C

Other details

Analysis of the file resources indicate the following possible countries of origin:

	China
	Netherlands

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.