After hearing about this I can't help thinking of that scene in Monty Python and the Holy Grail with the Trojan Bunny and the Frenchmen throwing it over the castle wall.
Ian.
According to research carried out by US-CERT (United States Computer Emergency Readiness Team), software that comes with the Energizer DUO USB NiMH battery charger is infected with a Trojan horse that gives hackers access to Windows PCs.
Energizer DUO is a USB battery charger. Included with the charger is a Windows application that allows the user to view the battery charging status. The installer for the Energizer DUO software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.
Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Its capabilities include the ability to list directories, send and receive files, and execute programs.
While the Energizer DUO has now been discontinued, it is unclear how many systems have been sold or how many PCs are affected (the Energizer DUO was also Mac OS X compatible, but that software was unaffected).
Here’s the fix for this issue:
Remove the Energizer UsbCharger software
Removing the Energizer UsbCharger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts. The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present.
Remove the Arucer.dll file
The backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, the Windows may need to be restarted before this file can be removed.
Block or restrict network access
Blocking access to 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor. This may be achieved with network perimeter devices or host-based software firewalls. The Energizer UsbCharger software does not automatically add an exception to the Windows Firewall for 7777/tcp or the backdoor application. Therefore, the first time that Energizer UsbCharger is executed, the user will be prompted that “Run a DLL as an APP” has been blocked by the Windows Firewall.
Symantec advisory can be found here.
