If you’ve purchased an Energizer Duo USB battery charger and downloaded the software that Energizer provides to monitor charging status on your PC, you may have a little mess to clean up. The Windows driver that comes as part of the kit contains a Trojan.

Root Kit Distributed As Part Of Driver Software

The troublesome file is called “Arucer.dll” and opens a backdoor that enables nefarious users to access an infected PC remotely. The vulnerability was described in Vulnerability Note VU#154421 about Arucer issued by CERT.

The Trojan happily adds itself to the computer’s startup routine, so the Trojan is activated each time the computer boots. The Trojan then accepts remote commands to send files from the computer, accept new files from the remote connection, download other applications to the infected computer or execute files as directed by the remote user.

Unlike other rootkits and Trojans, the infected computer doesn’t “phone home” to acknowledge that it’s ready to accept commands. That makes the source of the Trojan harder to trace, and it also makes the computer vulnerable to any hacker who discovers the back door. The infected computer can be used by multiple hackers for whatever they need. For the most part, the infection is not detected by anti-virus software.

Unfortunately for users, the Trojan has been distributed undetected since 2007 and is embedded in the battery monitoring software. The first step toward ridding an infected computer of the malicious software is to uninstall the charge-monitoring application. Once the application is uninstalled, reboot the computer and delete the Arucer.dll file. Do not reinstall the battery monitoring software, since this will re-install the rootkit .dll file from the Windows32 System directory. Energizer has removed the Duo battery charger from the market and removed the Web site where users could download the infected software.

If your computer is infected by the Arucer.dll backdoor, you may have other malware infections you need to address. Once the rootkit has been removed, rescan and clean the computer to detect other potential infections. For networked computers, network technicians can block port 7777, which the software uses to listen for remote instructions.

Currently, Energizer has not indicated its plans in terms of replacing the infected software with a clean copy, but security experts say that all distributions of the companion software for the Energizer Duo USB battery charger are affected.

Photo Credit: Andreas Brandmaier, via Flickr