cbcvebase.
CVE-2010-0103
published 2010-03-10

CVE-2010-0103: UsbCharger.dll in the Energizer DUO USB battery charger software contains a backdoor that is implemented through the Arucer.dll file in the %WINDIR%\system32…

PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.43%
97.8th percentile
UsbCharger.dll in the Energizer DUO USB battery charger software contains a backdoor that is implemented through the Arucer.dll file in the %WINDIR%\system32 directory, which allows remote attackers to download arbitrary programs onto a Windows PC, and execute these programs, via a request to TCP port 7777.

Detection & IOCsextracted from sources · hover to see the quote

filenameArucer.dll
path%WINDIR%\system32\Arucer.dll
filenameUsbCharger.dll
port7777/TCP
otherCommand GUID :exec = {8AF1C164-EBD6-4b2b-BC1F-64674E98A710}
otherCommand GUID :dir = {0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}
otherCommand GUID :write = {98D958FC-D0A2-4f1c-B841-232AB357E7C8}
otherCommand GUID :read = {F6C43E1A-1551-4000-A483-C361969AEC41}
otherCommand GUID :nop = {783EACBF-EF8B-498e-A059-F0B5BD12641E}
otherCommand GUID :find = {EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}
otherCommand GUID :yes = {E2AC5089-3820-43fe-8A4D-A7028FAD8C28}
otherCommand GUID :runonce = {384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}
otherCommand GUID :delete = {4F4F0D88-E715-4b1f-B311-61E530C2C8FC}
bytes
XOR key 0xE5 applied to all command/data bytes
  • Detect the backdoor by scanning for TCP port 7777 listeners; the Metasploit scanner module specifically targets this port to identify infected hosts.
  • All C2 protocol data (commands and payloads) sent to TCP/7777 is XOR-encoded with the single-byte key 0xE5. Network signatures should decode with this key to identify command GUIDs.
  • Look for the presence of Arucer.dll in %WINDIR%\system32 as a host-based indicator of compromise.
  • The backdoor drops a randomly named executable to C:\ (12 random alphanumeric characters + .exe) before executing it; monitor for short-lived executables written to the filesystem root.
  • Protocol framing: each command block begins with a 4-byte little-endian length field followed by the XOR-0xE5-encoded GUID string and a null terminator. Use this structure for deep-packet inspection rules on TCP/7777.
  • ·The backdoor is only present on Windows systems that had the Energizer DUO USB battery charger software installed; UsbCharger.dll installs Arucer.dll into system32 as part of the software package.
  • ·The backdoor listens on TCP/7777 with no authentication; any remote attacker with network access to that port can upload and execute arbitrary code without credentials.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.