[Intimacygel]

Anyone have any more dropper samples of this?

They're really hard to find because they delete themselves. My only luck so far was restoring from Norton quarantine on a customers computer.

[rbezio]

A colleague of mine had an idea, one which I cannot seem to figure out how to implement. I figure this might be a possible stopgap solution to this infection seeing as it relies on Power Shell do to all it's malicious actives.

His idea - Great a group policy that disables Power Shell. This would in theory prevent the infection from performing its higher level functions. As I understand it the whole point of the program up until Power Shell is getting Power Shell downloaded/to run and that the heavy lifting is done via Power Shell.

I don't know if you can do group policy changes via a batch file, but assuming you could, this would make it easy to push this change to every computer on your network so that Power Shell is disabled (even when installed).

Thoughts?

[ithurricane]

POWELIKS Levels Up With New Autostart Mechanism

http://blog.trendmicro.com/trendlabs-se ... mechanism/

[rinn]

POWELIKS Levels Up With New Autostart Mechanism

http://blog.trendmicro.com/trendlabs-se ... mechanism/

Hello,

It levels Up in July 2014 just as second post in this thread mention about. This script-kiddie from TrendMicro Randall Santos did nothing but again plagiarism.

Best Regards,
-rin

[rnd.usr]

Anyone have a sample that is detected as "Poweliks.B"?

Thanks

[Cody Johnston]

Anyone have a sample that is detected as "Poweliks.B"?

Thanks

Do you have a hash or any more info? Names do not help for searching. Example:

https://www.virustotal.com/en/file/da2d ... /analysis/

2 vendors have "B" in their detection while all others call it "A". Also lol @ that AVG name for it, not useful in any way, and just furthers my point.

[Tigzy]

It levels Up in July 2014 just as second post in this thread mention about. This script-kiddie from TrendMicro Randall Santos did nothing but again plagiarism.

Exactly, that behavior is here since they removed the RUN key to keep only CLSID hijack.
Months ago.

[PX5]

Has anyone seen a newer run of Poweliks droppers?

Seems we have a rash of this crap running about.

Any help, pointers are much appreciated.

--MJ

[EP_X0FF]

Has anyone seen a newer run of Poweliks droppers?

Seems we have a rash of this crap running about.

Any help, pointers are much appreciated.

--MJ

If you mean latest Symantec hype about this they investigated variant from july 2014 yet again (slowpoke mode). Just look at GUID's in their article. There is nothing new in Poweliks and clones (Gootkit/Sednit/Phase/Bedep) surpassed it completely.

[Ta!0n]

Attached sample