- Download a file
- Execute a file
- Send a directory listing to the remote attacker
- Send files to the remote attacker
- Modify the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”svchost”
What I find alarming is that this is obviously a lapse in quality control by Energizer as they allowed this backdoor to be distributed in their software. Regardless of the reasons that this was allowed to happen, it is obvious that there was a serious lapse of quality control and code auditing in this product. What I find even more disturbing is that instead of owning up to the fact that they were distributing an infection, they instead state it was a vulnerability. A vulnerability is a problem in the code of a program that could cause a security issue. It is not a file that was purposely designed to be backdoor. This is not the first time that we have seen a company distributing infections and downplaying their significance. For example, Maxtor was selling the Maxtor Basics Personal Storage 3200 hard drive that contained an Autorun Worm. In their security alert they trivialized this by stating "The effects of this virus are minimal." The fact that companies diminish the significance of these issues is not only wrong but is also insulting to their customers.
To remove this backdoor, simply uninstall the Energizer Duo software and reboot your computer. You will then be able to remove the C:\Windows\System32\arucer.dll file from your computer. If you run into difficulties removing this file, feel free to ask for help in the forums.