1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Poweliks Activity

System Infected: Trojan.Poweliks Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Poweliks activity on compromised computers.

Additional Information

The Trojan may be dropped by Trojan.Mdropper.

When the Trojan is executed, it creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"(default)" = "[ENCRYPTED JAVASCRIPT]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[NON-ASCII STRING]" = "rundll32.exe javascript:\"\..\mshtml,RunHTMLApplication \";document.write(\"\74script language=jscript.encode\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\software\\microsoft\\windows\\currentversion\\run\\\")+\"\74/script\")"

The Trojan then checks if the compromised computer has the PowerShell or .NET frameworks. If not, it will download the installers for these frameworks from the official Microsoft website.

Next, the Trojan decrypts a PowerShell script from its encrypted JavaScript. It runs this Powershell script to execute a binary program. This program connects to the following remote locations:
178.89.159.34
178.89.159.35

The Trojan may then perform the following activities:
Receive commands from the remote attacker
Delete the binary program

Affected

  • Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube