A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24284  by Intimacygel
 Wed Nov 05, 2014 3:31 pm
Anyone have any more dropper samples of this?

They're really hard to find because they delete themselves. My only luck so far was restoring from Norton quarantine on a customers computer.
 #24342  by rbezio
 Thu Nov 13, 2014 11:06 pm
A colleague of mine had an idea, one which I cannot seem to figure out how to implement. I figure this might be a possible stopgap solution to this infection seeing as it relies on Power Shell do to all it's malicious actives.

His idea - Great a group policy that disables Power Shell. This would in theory prevent the infection from performing its higher level functions. As I understand it the whole point of the program up until Power Shell is getting Power Shell downloaded/to run and that the heavy lifting is done via Power Shell.

I don't know if you can do group policy changes via a batch file, but assuming you could, this would make it easy to push this change to every computer on your network so that Power Shell is disabled (even when installed).

Thoughts?
 #24387  by rinn
 Wed Nov 19, 2014 4:48 am
ithurricane wrote:POWELIKS Levels Up With New Autostart Mechanism

http://blog.trendmicro.com/trendlabs-se ... mechanism/
Hello,

It levels Up in July 2014 just as second post in this thread mention about. This script-kiddie from TrendMicro Randall Santos did nothing but again plagiarism.

Best Regards,
-rin
 #24389  by rnd.usr
 Wed Nov 19, 2014 3:58 pm
Anyone have a sample that is detected as "Poweliks.B"?

Thanks
 #24394  by Cody Johnston
 Fri Nov 21, 2014 1:38 am
rnd.usr wrote:Anyone have a sample that is detected as "Poweliks.B"?

Thanks
Do you have a hash or any more info? Names do not help for searching. Example:

https://www.virustotal.com/en/file/da2d ... /analysis/

2 vendors have "B" in their detection while all others call it "A". Also lol @ that AVG name for it, not useful in any way, and just furthers my point.
 #24399  by Tigzy
 Fri Nov 21, 2014 7:31 am
It levels Up in July 2014 just as second post in this thread mention about. This script-kiddie from TrendMicro Randall Santos did nothing but again plagiarism.
Exactly, that behavior is here since they removed the RUN key to keep only CLSID hijack.
Months ago.
 #26062  by PX5
 Wed Jun 10, 2015 11:01 pm
Has anyone seen a newer run of Poweliks droppers?

Seems we have a rash of this crap running about.

Any help, pointers are much appreciated.

--MJ
 #26074  by EP_X0FF
 Sun Jun 14, 2015 6:51 am
PX5 wrote:Has anyone seen a newer run of Poweliks droppers?

Seems we have a rash of this crap running about.

Any help, pointers are much appreciated.

--MJ
If you mean latest Symantec hype about this they investigated variant from july 2014 yet again (slowpoke mode). Just look at GUID's in their article. There is nothing new in Poweliks and clones (Gootkit/Sednit/Phase/Bedep) surpassed it completely.