Poweliks Malware Only Resides In System Registry

poweliks malware file less

Security researchers found a malware, which only resides on system registry.Since it resides only in system registry, the Malware is file-less. According to malware researchers from G Data Software, Poweliks is a  new sophisticated malware that can achieve persistence by becoming file-less.

According to Symantec, the malware could infect Windows 2000, Windows 7, Windows 95, Windows98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP systems.

When a system get infected with this malware, it opens a backdoor for malicious access. The infected registry will contain the following registry entries :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"(default)" = "[ENCRYPTED
JAVASCRIPT]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[NON-ASCII STRING]" =
"rundll32.exe javascript:\"\..\mshtml,RunHTMLApplication \";document.write(\"\74script
language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\
\software\\microsoft\\windows\\currentversion\\run\\\")+\"\74/script>\")"

It also creates another registry entry that contains the malware code like this :
malware

Then the malware checks the computer system for powershell or .NET frameworks. If the computer system doesn't have it. It will automatically download the installers from Microsoft's official website.

Symantec security researchers observe that, the malware decrypts a powershell script from its encrypted javaScript. It runs this powershell script to execute a binary program. This program connects to the following remote locations :

178.89.159.34
178.89.159.35

What Are Things The Malware Can Do ?

The Malware can do almost anything in the infected system. It can download or spread malwares via infected computers.

How To Block It - If you get Infected 

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
If you want more information about, how to remove this malware, Visit Symantec 

No comments

Powered by Blogger.