Help
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
It appears that since 2007 Energizer has unknowingly been distributing a backdoor Trojan as part of their Energizer Duo software. The file Arucer.dll, which was thought to be a legitimate file used by their USB battery charger, was instead a backdoor Trojan that allowed remote access to an infected computer.It has always been thought that the Arucer.dll was a legitimate file that allowed you to check the status of batteries inserted into the battery charger connected to your computer. Recently Cert has discovered that this file may instead be a backdoor Trojan that listens on port 7777 for commands from a remote location. A sample was also given to Symantec where they performed an analysis of it as well. They corroborated that the Arucer.dll was indeed a backdoor and and that it was able to execute commands issued remotely. These commands could perform the following actions:
- Download a file
- Execute a file
- Send a directory listing to the remote attacker
- Send files to the remote attacker
- Modify the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”svchost”
What I find alarming is that this is obviously a lapse in quality control by Energizer as they allowed this backdoor to be distributed in their software. Regardless of the reasons that this was allowed to happen, it is obvious that there was a serious lapse of quality control and code auditing in this product. What I find even more disturbing is that instead of owning up to the fact that they were distributing an infection, they instead state it was a vulnerability. A vulnerability is a problem in the code of a program that could cause a security issue. It is not a file that was purposely designed to be backdoor. This is not the first time that we have seen a company distributing infections and downplaying their significance. For example, Maxtor was selling the Maxtor Basics Personal Storage 3200 hard drive that contained an Autorun Worm. In their security alert they trivialized this by stating "The effects of this virus are minimal." The fact that companies diminish the significance of these issues is not only wrong but is also insulting to their customers.
To remove this backdoor, simply uninstall the Energizer Duo software and reboot your computer. You will then be able to remove the C:\Windows\System32\arucer.dll file from your computer. If you run into difficulties removing this file, feel free to ask for help in the forums.
Link: US-Cert Advisory: Energizer DUO USB battery charger software allows unauthorized remote system access Link: Symantec's Back Door Found in Energizer DUO USB Battery Charger Software Link: Energizer Announces Duo Charger and USB Charger Software Pro
Back to top
That's just alarming and wrong! Shaaaame on Energizer 
Posted 14 March 2010 - 09:55 PM
