Energizer DUO USB battery charger software allows unauthorized remote system access

 

Overview

The software available for the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

 

 

I. Description

Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been available on the Energizer website. The installer for the Energizer DUO software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

 

Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Note that Windows XP SP2 and later systems include a firewall by default. Upon running the Energizer UsbCharger software for the first time, a dialog similar to the following is displayed:

If the user selects “Unblock,” then the system will be at risk. Also note that if the application is unblocked, this will cause Windows to add rundll32.exe to the Windows Firewall exceptions list. This means that any DLL that is executed through the rundll32.exe mechanism will be excluded from the Windows Firewall, regardless of the DLL or port used.

 

The backdoor capabilities include the ability to list directories, send and receive files, and execute programs. The hash information for the file is:
MD5: 1070be3e60a1868d2cd62fc90d76c861
SHA1: d102b1d2538d8771be85403272e5a22a4b3f81ad

The file details for Arucer.dll are:

--a-- W32i   DLL CHS         1.0.0.1 shp     28,672 05-10-2007 arucer.dll
Language        0x0804 (Chinese (PRC))
CharSet         0x04b0 Unicode
OleSelfRegister Disabled
CompanyName
FileDescription Arucer DLL
InternalName    Arucer
OriginalFilenam Arucer.DLL
ProductName     Arucer Dynamic Link Library
ProductVersion  1, 0, 0, 1
FileVersion     1, 0, 0, 1
LegalCopyright  ???? (C) 2006
LegalTrademarks

VS_FIXEDFILEINFO:
Signature:      feef04bd
Struc Ver:      00010000
FileVer:        00010000:00000001 (1.0:0.1)
ProdVer:        00010000:00000001 (1.0:0.1)
FlagMask:       0000003f
Flags:          00000000
OS:             00000004 Win32
FileType:       00000002 Dll
SubType:        00000000
FileDate:       00000000:00000000

 

II. Impact

An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.

 

 

III. Solution

Remove the Energizer UsbCharger software

Removing the Energizer UsbCharger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts. The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present.

 

Remove the Arucer.dll file

The backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, the Windows may need to be restarted before this file can be removed.

 

Remove “Run DLL as an App” exclusion from the Windows Firewall

If the user unblocks Run DLL as an App (rundll32.exe) from the Windows Firewall, the exclusion will remain after the Energizer UsbCharger software has been uninstalled. To restore the firewall to the previous state, the “Run a DLL as an App” entry should be removed from the exclusions list.

 

Block or restrict network access

Blocking access to 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor. This may be achieved with network perimeter devices or host-based software firewalls. The Energizer UsbCharger software does not automatically add an exception to the Windows Firewall for 7777/tcp or the backdoor application. Therefore, the first time that Energizer UsbCharger is executed, the user will be prompted that “Run a DLL as an APP” has been blocked by the Windows Firewall.

 

The following Snort rules can be used to detect network traffic related to this backdoor:

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; classtype:trojan-activity; sid:1000004; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; classtype:trojan-activity; sid:1000005; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; classtype:trojan-activity; sid:1000006; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; classtype:trojan-activity; sid:1000007; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; classtype:trojan-activity; sid:1000008; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; classtype:trojan-activity; sid:1000009; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; classtype:trojan-activity; sid:1000010; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; classtype:trojan-activity; sid:1000011; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; classtype:trojan-activity; sid:1000012; rev:2;

 

Systems Affected

 

Source : www.kb.cert.org

 

 

Removal tool for Oficla.H!dll, Win32.Fregee.av (reader_s.exe, file1.exe) Trojan

 

Sample Submitted By Sven Berger

 

 

 

Read more

Removal tool for Generic.Malware.SL!!M.807DC390 (mso.exe, usbflash.com) Keylogger

 

Submitted By Google Pnookle

 

 

- Sets the drive to autoplay by creating autorun.inf file in its root directory.

- Creates a startup registry entry.

 

Read more

Remove, Uninstall Any Antivirus Software with AppRemover

In this series of posts, we have been reviewing various software and applications, which are specialized to uninstall or remove a particular antivirus or security software.

 

The need of a specialized antivirus uninstaller arises from the that fact that it is normally very difficult to completely uninstall a security software from your computer through regular uninstall mechanisms.

 

However, there are a few generalized antivirus uninstaller software, which can work with most of the security software to completely remove or uninstall them. One such software is AppRemover, which is a freeware tool and is able to work with most security applications. The best part of AppRemover is that not only you can use it for a clean uninstall, but you can use it also for failed uninstall situations, where you have tried the built-in uninstall of the application but not have succeeded.

 

When Do you Need to Use AppRemover to Uninstall Antivirus Software

• When replacing one security application with another
• When competing security applications tie up your computer
• When the application’s built-in uninstall process fails
• When you have forgotten the application password

Here is a nice YouTube Video, which describes the application in details for those, who do not wish to read the stuff online.

 

[Download AppRemover]

 

Source: thepcsecurity.com

Removal for Trojan W32/Virut.CE

The Virus.Win32.Virut.ce is a Trojan, which infects Windows Operating system,

The infected system will be Very slow, and infected computer Shuts down after a couple of minutes when user logged in with a dialog box showing an Red X mark and countdown timer.  This Trojan infects or copies its files to *.dll and *.exe windows\system32 folder and to C, D drives.

 

Some Known files names for Virus.Win32.Virut.ce are perrdlm.exe, klpllsm.exe and more

This trojan makes Startup Registry entries at
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
“cdmmslpo”=”C:\\WINDOWS\\system32\\klpllsm.exe”
“qaswww”=”C:\\WINDOWS\\system32\\perrdlm.exe”
“shccde”=”C:\\WINDOWS\\system32\\ipismd.exe”

If you delete these files and entries, it will restore again after a system restart, Since virus infected on other files.

 

So it is very hard to remove this trojan manually, So here we can use this removal with a free removal tool from Grisoft.

 

The GRISOFT has released a Free Removal Tool for this type trojan,  Win32/Virut

 

Download the following two files
rmvirut.exe
rmvirut.nt

run the rmvirut.exe file.

 

Note:
You can also specify the disks (or partitions) to heal as a command parameters.
e.g.: “rmvirut C: D:”. If the command is used without parameters, it heals all disks (partitions) on computer.

 

For example you want to scan a folder in d drive, folder name is tools
d:\rmvirut.exe D:\tools
this command is executed from
Start – Run, In the run Command Menu box type Full path including rmvirut.exe with path of folder or drive to scan.
type Command, Press Ok to run ( In vista Confirm Allow to continue)

 

For Successful running of the remover requires administrator rights. For proper functionality of the remover it is necessary to save the rmvirut.nt into the same folder as rmvirut.exe.

 

For Further Support Contact Us,
VirusExperts.org

Hitman Pro 3 – The First Behavioral Scan and Multi-vendor Cloud Confirmation Anti-malware

Hitman Pro 3 is a fast all-in-one tool to locate, identify and remove viruses, spyware, trojans, rootkits and other malware. Hitman Pro 3 will quickly show if your PC is infected with malicious software.
Research shows that many computers are infected, even if they have an up-to-date security suite installed, and that a combination of different anti malware programs would be required to prevent infection.
Hitman Pro 3 uses innovative cloud computing techniques to detect and remove potential malware threats with minimal impact on system performance.

 

Read more

New Free SUPERAntiSpyware Online Scanner/Remover!

 

Follow the instructions below to initiate the SUPERAntiSpyware Online Scan. The scanner will detect AND remove over 1,000,000 spyware/malware infections. The scanner does NOT install anything on your Start Menu or Program Files and does NOT need to be uninstalled.

 

The SUPERAntiSpyware Online Safe Scan is free for personal use.

 

How To Use :

 

1. Start the Scan

Click on the button to start the scanner download process.

 

2. Download the Scanner

Click the RUN button when prompted. If you are using a browser other than Internet Explorer then prompt may be different.

 

3. Wait for the Scanner to Download

The scanner will download in just a few seconds.

 

 

4. Run the Scanner

Click the RUN button when prompted. This will start the scanner.

 

 

5. Do the scanner and removal

Click the “Click here to Start” button and then “Check for Updates” to update the  Definition then click on “Scan your Computer” button to start the scanning process.

 

 

How to Remove All Types of Magania (W32_Gammima,Trojan-GameThief,Taterf,Win32.Inhoo) Trojan

 

 

- Magania trojan Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.

- Downloads/requests other files from Internet.

- Creates a startup registry entry.

 

Read more

SmitFraudFix (Desktop Hijack Malware Removal) (WinXP, Win2K)

This tool removes Desktop Hijack malware: Advanced Antivirus, Advanced Virus Remover, AdwarePunisher, AdwareSheriff, AlphaCleaner, AntiSpyCheck, AntiSpyware Expert, Antispyware Soldier, AntiVermeans, AntiVermins, AntiVerminser, AntiVirGear, Antivirus 2009, Antivirus 2010, Antivirus 360, AntiVirus Lab 2009, Antivirus Master, Antivirus Sentry, Antivirus System Pro, Antivirus XP 2008, AntivirusGolden, AV Antispyware, AVGold, Awola, BraveSentry, Coreguard Antivirus, Extra Antivirus, HomeAntivirus 2009, IE Defender, IE-Security, Internet Antivirus, Malware Defender 2009, MalwareCrush, MalwareWipe, MalwareWiped, MalwaresWipeds, MalwareWipePro, MalwareWiper, Micro Antivirus 2009, MS AntiSpyware 2009, MS Antivirus, PC Protection Center 2008, Personal Defender 2009, PestCapture, PestTrap, Power Antivirus, Power-Antivirus-2009, PSGuard, quicknavigate.com, RegistryFox, Registry Cleaner, Renus 2008, Security iGuard, Smart Antivirus 2009, Smitfraud, SmitFraudFixTool, Spy Protector, SpyAxe, SpyCrush, SpyDown, SpyFalcon, SpyGuard, SpyHeal, SpyHeals, SpyLocked, SpyMarshal, SpySheriff, SpySoldier, Spyware Guard 2008, Spyware Protect 2009, Spyware Vanisher, Spyware Soft Stop, SpywareLocked, SpywareQuake, SpywareKnight, SpywareRemover, SpywareSheriff, SpywareStrike, Startsearches.net, System Antivirus 2008, System Guard 2009, TheSpyBot, TitanShield Antispyware, Total Protect 2009, Total Secure 2009, Trust Cleaner, Ultimate Antivirus 2008, UpdateSearches.com, UnVirex, Virtual Maid, Virus Heat, Virus Protect, Virus Protect Pro, VirusBlast, VirusBurst, VirusRay, Virus Remover 2008, Virus Shield, VirusResponse Lab 2009, VirusTrigger, Win32.puper, WinHound, WinPC Defender, WiniBlueSoft, Vista Antivirus 2008, WinDefender 2009, XLG Security Center, XP Deluxe Protector, XP Security Center, XPert Antivirus, XP Police Antivirus, Brain Codec, ChristmasPorn, DirectAccess, DirectVideo, EliteCodec, eMedia Codec, EZVideo, FreeVideo, Gold Codec, HQ Codec, iCodecPack, IECodec, iMediaCodec, Image ActiveX Object, Image Add-on, IntCodec, iVideoCodec, JPEG Encoder, Key Generator, LookForPorn, Media-Codec, MediaCodec, MMediaCodec, MovieCommander, MPCODEC, My Pass Generator, NetProject, Online Image Add-on, Online Video Add-on, PCODEC, Perfect Codec, PowerCodec, PornPass Manager, PornMag Pass, Pornovid, PrivateVideo, QualityCodec, Silver Codec, SearchPorn, SexVid, SiteEntry, SiteTicket, SoftCodec, strCodec, Super Codec, TrueCodec, VideoAccess, VideoBox, VidCodecs, Video Access ActiveX Object, Video ActiveX Object, Video Add-on, VideoCompressionCodec, VideoKeyCodec, VideosCodec, WinAntiSpyPro, WinMediaCodec, X Password Generator, X Password Manager, ZipCodec, WinCoDecPRO…

Read more

Removal tool for Magania.bzmw (Taterf.B,Win32.Inhoo) Trojan

 

- Magania trojan Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.

- Downloads/requests other files from Internet.

- Creates a startup registry entry.

 

Read more