USB Battery Charger Installs Trojan
The software that shows to which extent the battery is charged through the Energizer DUO USB recharger comes bundled up with a Trojan, says the US CERT.
It appears that since 2007 Energizer has unknowingly been distributing a backdoor Trojan as part of their Energizer Duo software. The file Arucer.dll, which was thought to be a legitimate file used by their USB battery charger, was instead a backdoor Trojan that allowed remote access to an infected computer via the TCP port 7777.
The Trojan springs to like every time Windows starts and is active even when the charger is removed. By un-installing the USB charger software, the malicious file is disabled. It is still in the computer, but the mechanism that executes it is no longer present.
Symantec confirmed that the Arucer.dll was indeed a backdoor and and that it was able to execute commands issued remotely. These commands could perform the following actions:
- Download a file
- Execute a file
- Send a directory listing to the remote attacker
- Send files to the remote attacker
- Modify the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”svchost”
The Arucer.dll file must be removed manually from the Windows system32 directory, possibly after restarting the computer after the deinstallation of the software. Blocking the aforementioned port is only a partial, temporary solution, and the removal of the software and of the malicious file is recommended.
Energizer has removed the software and issued a press release stating that a “vulnerability” has been found and that they have discontinued the product and offered software to uninstall the backdoor.
Symantec Security Response – Back Door Found in Energizer DUO USB Battery Charger
US-CERT – http://www.kb.cert.org/vuls/id/154421