SECURITY TO THE CORE

USB Battery Charger Installs Trojan


The software that shows to which extent the battery is charged through the Energizer DUO USB recharger comes bundled up with a Trojan, says  the US CERT.

It appears that since 2007 Energizer has unknowingly been distributing a backdoor Trojan as part of their Energizer Duo software. The file Arucer.dll, which was thought to be a legitimate file used by their USB battery charger, was instead a backdoor Trojan that allowed remote access to an infected computer via the TCP port 7777.

The Trojan springs to like every time Windows starts and is active even when the charger is removed. By un-installing the USB charger software, the malicious file is disabled. It is still in the computer, but the mechanism that executes it is no longer present.

Symantec confirmed that the Arucer.dll was indeed a backdoor and and that it was able to execute commands issued remotely. These commands could perform the following actions:

  • Download a file
  • Execute a file
  • Send a directory listing to the remote attacker
  • Send files to the remote attacker
  • Modify the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”svchost”

The Arucer.dll file must be removed manually from the Windows system32 directory, possibly after restarting the computer after the deinstallation of the software. Blocking the aforementioned port is only a partial, temporary solution, and the removal of the software and of the malicious file is recommended.

Energizer has removed the software and issued a press release stating that a “vulnerability” has been found and that they have discontinued the product and offered software to uninstall the backdoor.

References

Symantec Security ResponseBack Door Found in Energizer DUO USB Battery Charger

US-CERThttp://www.kb.cert.org/vuls/id/154421

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s