Energizer charger software installed Arucer

Energizer DUO made a small promise: plug a USB battery charger into a Windows PC and watch the charge status. The optional vendor software carried more than that. Its installer placed UsbCharger.dll beside the application and Arucer.dll into system32, then the legitimate charger DLL started the second one through rundll32.exe.

The payload was not a stray toolbar or noisy adware. CERT/CC described Arucer.dll as a backdoor listening on 7777/tcp, with commands to list directories, send and receive files, and execute programs under the logged-on user's privileges. If the user allowed the Windows Firewall prompt for "Run DLL as an App," rundll32.exe itself could be added to the firewall exceptions list.

The compromise was striking because the product was mundane. A charger status utility had no obvious reason to expose a network service or persist through the Windows Run key, yet the installer arrived from the product support path a customer would naturally trust.

Energizer removed the download site, discontinued sale of the DUO Charger model CHUSB, and told Windows users to uninstall the software and delete the remaining DLL. The Arucer file carried a May 10, 2007 timestamp, but public reporting treated that as a clue, not proof of the full exposure window.

Motive

Remote Access

Cause

Compromised Installer

Transitive

No

• Energizer DUO USB battery charger software allows unauthorized remote system accesskb.cert.org
• Energizer Duo software suffers backdoor Trojan bothertheregister.com