Back Door Found in Energizer DUO USB Battery Charger Software

We recently received a file (from CERT) for analysis. We found that the file was a Trojan that opens a back door on a compromised computer and listens for commands on port 7777. This by itself is not very unusual, but what surprised us was that this file was being distributed by Energizer Inc as part of a USB charger-monitoring software package.
When we checked the manufacturer’s website, the file was still available as part of the USB charger software package. As part of the installation process for the USB charger software, the file “Arucer.dll” is created and added to the registry run key. We discovered that this file is the Trojan and added detection for it as Trojan.Arugizer. Since the file is added to the run key, the Trojan starts every time the computer starts. The Trojan listens for commands from anyone who connects and can perform various actions, such as the following:
•    Download a file
•    Execute a file
•    Send a directory listing to the remote attacker
•    Send files to the remote attacker
•    Modify the following registry entry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”svchost”
Any data that Trojan.Arugizer receives on this port is XOR’d with the value 0xE5 before it is processed further. The threat continuously listens for commands. Commands are sent to the threat in the form of CLSIDs. The threat waits for any (continue reading...)