TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: VIRUS GUY
date: 2014-08-04 06:50:00
subject: Re: Registry-infecting re
     "The JavaScript code checks whether Windows PowerShell, a
      command-line shell and scripting environment, is present
      on the system. If it isn't, it downloads and installs it
      and then it decodes some more code that is actually a
      PowerShell script."

Does Powershell run on Win-98?

     "The malicious documents exploited a remote code execution
      vulnerability in Microsoft Office 2003, 2007 and 2010 that
      was patched by Microsoft in April 2012."

Did Office 2000 also have that vulnerability?

     "To block malware like Poweliks, “antivirus solutions have
      to either..."

Why can't (why doesn't) AV software monitor the registry for new startup
keys?

It shouldn't matter that it can't read the target being added to the key
(because of "non-standard" ASCII code) - what should matter is that it
detects changes (additions) to the startup registry keys.

=====================================

Stealthy, tricky 'Poweliks' malware hides in your system registry - but
not your hard drive

A new malware program called Poweliks attempts to evade detection and
analysis by running entirely from the system registry without creating
files on disk, security researchers warn.

The concept of “fileless” malware that only exists in the system's
memory is not new, but such threats are rare because they typically
don't survive across system reboots, when the memory is cleared. That's
not the case for Poweliks, which takes a rather new approach to achieve
persistence while remaining fileless, according to malware researchers
from G Data Software.

When it infects a system, Poweliks creates a startup registry entry that
executes the legitimate rundll32.exe Windows file followed by some
encoded JavaScript code. This triggers a process similar in concept to a
Matryoshka Russian nesting doll, said Paul Rascagnères, senior threat
researcher at G Data, in a blog post.

The JavaScript code checks whether Windows PowerShell, a command-line
shell and scripting environment, is present on the system. If it isn't,
it downloads and installs it and then it decodes some more code that is
actually a PowerShell script.

The PowerShell script is executed by using a trick to bypass a default
protection in Windows that prevents the launch of unknown PowerShell
scripts without user confirmation, Rascagnères said. The script then
decodes and executes shellcode which injects a DLL (dynamic link
library) directly into the system memory.

Once it is running in memory, the rogue DLL component connects to two IP
(Internet Protocol) addresses in Kazakhstan to receive commands. It can
be used to download and install other threats, depending on the
attacker's needs and intentions.

During the entire process, from executing the JavaScript code to the
final DLL injection, the malware does not create any malicious files on
the hard disk drive, making it difficult for antivirus programs to
detect it.

Furthermore, the name of the startup registry key created by Poweliks is
a non-ASCII character. This is a trick that prevents regedit—the Windows
registry editor tool—and possibly other programs from displaying the
rogue start-up entry, making it difficult for both users and malware
analysts to manually spot the infection.

Some Poweliks variants have been distributed through malicious Microsoft
Word documents attached to spam emails that purported to come from
Canada Post or USPS. The malicious documents exploited a remote code
execution vulnerability in Microsoft Office 2003, 2007 and 2010 that was
patched by Microsoft in April 2012. However, according to other reports,
the malware is also distributed through drive-by download attacks that
use Web exploits.

To block malware like Poweliks, “antivirus solutions have to either
catch the file (the initial Word document) before it is executed (if
there is one), preferably before it reached the customer's email inbox,”
Rascagnères said. “Or, as a next line of defense, they need to detect
the software exploit after the file's execution, or, as a last step,
in-registry surveillance has to detect unusual behavior, block the
corresponding processes and alert the user.”

Security researchers from Trend Micro, who have also analyzed the
threat, believe that other malware creators may adopt the techniques
used by Poweliks in the future.

http://www.pcworld.com/article/2461120/stealthy-malware-poweliks-resides-only-i
n-system-registry.html

========================

So - Windows 98 is affected?

Symantec has actually verified that?

-------------------------
EarthLink Symantec Page
http://www.earthlink.net/software/nmpremium/norton/

Trojan.Poweliks
Risk Level 1: Very Low

Discovered:
    August 3, 2014
Updated:
    August 4, 2014 10:28:18 AM
Type:
    Trojan
Infection Length:
    71680 bytes
Systems Affected:
    Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows
NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

SUMMARY
Trojan.Poweliks is a Trojan horse that performs malicious activities on
the compromised computer.

Antivirus Protection Dates

    * Initial Rapid Release version August 4, 2014 revision 001
    * Latest Rapid Release version August 4, 2014 revision 001
    * Initial Daily Certified version August 4, 2014 revision 008
    * Latest Daily Certified version August 4, 2014 revision 008
    * Initial Weekly Certified release date August 6, 2014

    * Wild Level: Low
    * Number of Infections: 0 - 49
    * Number of Sites: 0 - 2
    * Geographical Distribution: Low
    * Threat Containment: Easy
    * Removal: Easy

Damage

    * Damage Level: Medium
    * Payload: Opens a back door.

Distribution

    * Distribution Level: Low

TECHNICAL DETAILS
The Trojan may be dropped by Trojan.Mdropper.

When the Trojan is executed, it creates the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"(default)"
= "[ENCRYPTED JAVASCRIPT]"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[NON-ASCII
STRING]" = "rundll32.exe
javascript:\"\..\mshtml,RunHTMLApplication\";document.write(\"\74script
language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"H
KCU\\software\\microsoft\\windows\\currentversion\\run\\\")+\"\74/script>\")"

The Trojan then checks if the compromised computer has the PowerShell or
..NET frameworks. If not, it will download the installers for these
frameworks from the official Microsoft website.

Next, the Trojan decrypts a PowerShell script from its encrypted
JavaScript. It runs this Powershell script to execute a binary program.
This program connects to the following remote locations:

    * 178.89.159.34
    * 178.89.159.35

http://www.symantec.com/security_response/earthlink_writeup.jsp?docid
14-080408-5614-99
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.