I missed the news when SecurityBlog uncovered a new threat last week, and when Trend Micro posted about it on Friday. Now IDG explains that the malware, called Poweliks, "attempts to evade detection and analysis by running entirely from the system registry without creating files on disk." The malware can spread via Microsoft Word documents or web downloads, and it uses a clever approach to hide in the Windows Registry. I wonder how quickly antivirus software vendors will develop ways to block the threat.
22 Spice ups
Great articles! Thanks for the post!
michaelsc
(Michael.SC)
3
I’m happy to say I have not had an unintentional virus or malware on anything in a decade. It really surprises me anytime I clean a computer and see how much crap people manage to collect.
As to this particular piece of malware, what prevents it from getting wiped out from something as simple as a registry cleaner like CCleaner?
3 Spice ups
nikopka
(NiKopka)
4
Passing this along to my team. Thanks for the share!
mleeding
(Matt the IT Guy)
5
Wonderful…I had not heard of this yet either.
Hrm, reminds me of Virtumonde; in the way it would replicate it’s self in the registry if not deleted correctly.
legoman
(LegoMan)
7
@ @michaelsc - sadly most sysadmins don’t understand the value of an Internet filter, using it to block ads & not just known badware, and firewall rules that don’t include the manufacture default of “If LAN to WAN any ALLOW” - I too haven’t had a virus or malware in years, cause I take the time to set things up right, not just leave them default.
As far as the CCleaner wipeout - I don’t think that would catch it, CCleaner’s registry cleaning method is basically just looking for paths (file or registry) and then allowing you to remove any that aren’t there. I don’t think it will be smart enough to follow javascript as that doesn’t look like a normal file path. After the powershell script is there, that will be a valid path, so it probably won’t be flagged for removal either.
Perhaps there is a way to disable native javascript execution on the machine altogether? I know I don’t need it for anything, the same way I don’t need the security hole that is Java installed.
chamele0n
(Chamele0n)
8
I wonder if something like Spybot S&D Teatimer would catch this. It is actively watching registry changes and alerts you of anything that looks malicious. Like any other Anti-Virus/Malware/adaware software. Definitions would just need to be updated to detect this Poweliks.
Haven’t heard of this so thanks for sharing.
No unintentional ones? How many have you intentionally deployed? 
had missed that announcement, thanks for sharing.
kkyishkkii
(Kkyishkkii)
13
Thanks for posting, interesting reads
FYI for those dealing with any cleanup of this particular trojan, RougeKiller should take care of it within a scan or two http://community.spiceworks.com/topic/629416-poweliks-trojan-registry-based-virus
As seen in my thread linked above, I was able to remove it. I actually used FRST to find the infected key and remove it… I have not had it come back for several days now on all 3 of the infected PC’s…
I will note that Symantec endpoint was no use for this, since it resided in the registry.
It’s a nasty malware that will make your computer run like crap sucking up all of the memory into those dllhost processes.
You can download Trojan.Poweliks removal tool from here: Risk Detected
We caught this, it’s a pain. I’ve had 3 users in the company catch it. (Even after numerous warnings about the delivery method) I am taking the machines out of commission, even though I’ve blocked access to the server IPs they attempt to connect to.
I had one machine that I let it run on for a while (isolated) and I noticed other changes to the registry, particularly changes to internet explorer security settings that I couldn’t fix. Even an IE default wouldn’t take care of them. Anyone else experience this?
Why won’t anyone at symantec tell me why their products won’t detect it? If you know about it, detect it. That’s the core function of antivirus software, last time I checked! It’s bad enough you can’t detect malware, but a true virus, so what good is antivirus software anymore?
Hi,
Sorry to know your unpleasant experience about SEP. If the risk is not detected by SEP and all related Symantec tools (Symhelp Threat analysis and power eraser, recovery tool) submit suspicious files to the security response team.
SymHelp features a utility, the Threat Analysis Scan, that can help to identify suspicious files on a system.
How to run the Threat Analysis Scan in Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH215519
You can collect and submit suspicious files to the Symantec Security Response team for analysis.
How to collect and submit to Symantec Security Response suspicious files found by the SymHelp utility
http://www.symantec.com/docs/TECH203027
You will receive a confirmation email with a tracking number. Once the submission has been processed, an email will be dispatched with a detremination regarding the file submitted. If it is a threat, you will be provided with a set of Rapid Release Definitions. These can be applied to the affected system so that Symantec Endpoint Protection (SEP) can then detect the infected file and prevent a reinfection
You can also submit the file for analysis to Threat Expert, which is owned by Symantec. Automated analysis can be performed for some types of threats through http://www.threatexpert.com . This step can quickly identify the sites the threat is coded to contact so they can be blocked at the firewall. Symantec Support does not provide troubleshooting for http://www.threatexpert.com , and this step does not replace the need to submit files to Symantec Security Response.
Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/docs/TECH122466
To create a case with Symantec Technical Support using MySymantec or by phone, see the following page:
Contact Business Support
http://www.symantec.com/support/contact_techsupp_static.jsp
