Poweliks maintains its registry entries to ensure persistence The following image demonstrates how Poweliks maintains its persistence on compromised computers:įigure 2.
![symantec trojan poweliks removal tool symantec trojan poweliks removal tool](https://image.slidesharecdn.com/evolution-of-poweliks-150609144753-lva1-app6891/85/the-evolution-of-the-fileless-clickfraud-malware-poweliks-17-320.jpg)
Since Poweliks, we have seen these techniques and tactics in use by several other threats, including Trojan.Phase. The functionality will reinstate the registry subkeys if the threat has been deleted.Īs the malware is located inside the registry, the Watchdog functionality works to protect this by changing access rights to prevent access and then uses unprintable characters so registry tools cannot find the keys, even with appropriate permissions. It does this by continuously checking that Poweliks is still running and that its registry subkeys have not been deleted. The Watchdog process is used to maintain persistence on the compromised computer. Some of this data is encoded, and after it has been decoded and executed, it installs what we call a Watchdog process.
Symantec trojan poweliks removal tool code#
The JavaScript code has instructions to read additional data from the registry, which acts as the payload (green outline), and then execute it. Poweliks uses a legitimate Windows rundll32.exe file (blue outline) to execute JavaScript code (red outline) that has been embedded in the registry subkey itself. Poweliks is a fileless threat that uses several techniques to persist solely in the registry. The following image can help to explain how it does this: Symantec took an in-depth look at Poweliks to see how this threat has evolved and how it tries to evade detection by hiding in the registry.
Symantec trojan poweliks removal tool download#
Furthermore, the threat adds the compromised computer to a click-fraud botnet and forces it to download advertisements without the victim’s knowledge. Poweliks will also exploit a zero-day privilege escalation vulnerability to take control of the compromised computer. The Trojan uses other registry tricks, such as a special naming method, to make it difficult for users to find it and then uses CLSID hijacking to maintain its persistence on the compromised computer. This persistence mechanism is not the only trait that makes Poweliks unique.
![symantec trojan poweliks removal tool symantec trojan poweliks removal tool](https://content.spiceworksstatic.com/service.community/p/post_images/0000053468/545bf8d5/attached_image/poweliks.jpg)
While fileless threats that reside in memory-only have been seen before, Poweliks stands out from this crowd because of a persistence mechanism that allows it to remain on the compromised computer even after a restart. As a registry-based threat, Poweliks does not exist as a file on the compromised computer and instead resides only in the Windows registry.
![symantec trojan poweliks removal tool symantec trojan poweliks removal tool](https://crack4windows.com/thumbnail?path=%2Fcontent%2Fimages%2Fscreens%2Fw32-tepfer-trojan-removal-tool_1.png)
Trojan.Poweliks first grabbed people’s attention in 2014 when it evolved into a registry-based threat.