The software available for the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.
Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been available on the Energizer website. The installer for the Energizer DUO software places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.
Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Note that Windows XP SP2 and later systems include a firewall by default. Upon running the Energizer UsbCharger software for the first time, a dialog similar to the following is displayed:
An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.
Remove the Energizer UsbCharger software
Removing the Energizer UsbCharger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts. The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present.
Remove the Arucer.dll file
Thanks to Ed Schaller for reporting this vulnerability.
This document was written by Will Dormann.
|Date First Published:||2010-03-05|
|Date Last Updated:||2010-04-15 14:31 UTC|