Symantec Security Response has seen an increase in the number of reports related to a threat known as Trojan.Poweliks. Poweliks is unique when compared to traditional malware because it does not exist on a compromised computer as a file. Instead, it is located in a registry subkey that is found within the computer’s registry.
Figure. Trojan.Poweliks registry subkey
While Trojan.Poweliks is unique in how it resides on a computer, it can arrive on a computer through more common methods, such as malicious spam emails and exploit kits. Once on the compromised computer, Trojan.Poweliks can then receive commands from the remote attacker.
Poweliks has reportedly been delivered through malicious spam emails that claim to be a missed package delivery from the Canadian Post or the US Postal Service (USPS).
That was inevitable, this is happening. Filess Poweliks meets Filess Angler EK thread. Combo ! pic.twitter.com/5mobHrlt27 — kafeine (@kafeine) September 26, 2014
That was inevitable, this is happening. Filess Poweliks meets Filess Angler EK thread. Combo ! pic.twitter.com/5mobHrlt27
In addition to the malicious spam runs, Poweliks can also be delivered through exploit kits. According to researcher Kafeine, the Angler exploit kit has been observed distributing Poweliks since September 2014.
Symantec continues to investigate and will provide more details as they become available.
Symantec protection Symantec has the following detections for Poweliks and associated vectors:
Antivirus
Intrusion prevention
Update – November 7, 2014:
To manually remove Trojan.Poweliks, please follow these steps:
Update – November 10, 2014:
To automatically remove Trojan.Poweliks, please follow these steps: