Saturday, September 27, 2014

Poweliks - Not your Father's Everyday PC Virus!!

Big SVCHOST.EXE process? "Host Process" crashes? Maybe POWELIKS is present

It's been a long time since I posted here, mostly because the Subversion migration project I was working before was essentially abandoned. But this week, I opted to restart this effort due to a particularly nasty first-hand experience I've had with a *really* nasty "second generation" virus called Poweliks.

As a software developer by trade and focused on Windows of paycheck necessity, you learn to deal with virus risks. In that time, I've learned to find and rid myself of most "normal" viruses with a few good tools and some experienced observation. But not this time.

My machine had been acting strangely for a few weeks - strange in ways that made me suspect a virus - but every online and CD-based external diagnostic tool I fired found nothing. Then, last night, still convinced something was awry, the FARBAR recovery/scan tool found the gremlin - called "POWELIKS!"

Given it's relative youth "in the wild," I thought I'd post at least a general summary of what I've found about this nasty beast, and give some folks a starting point in dealing with it. I hope its helpful.

This is not your run-of-the-mill virus!


Poweliks is *not* your everyday virus that drops a few hard-to-find files in a few hard-to-find locations, or hooks into Internet Explorer as an unwanted toolbar or add-in. Poweriks is what could be thought of as a "second-generation" virus that drops not one single file on your local machine - but rather embeds itself in the Windows registry as an obfuscated hunk of Javascript malware.

After attaching itself to your Windows startup via a nearly impossible to remove addition to the "Run" key options in the Windows registry, Poweliks starts up by firing the malevolent Javascript, then injecting the concealed executable code into an existing Windows process, such as svchost.exe, where it runs undetected and unmolested.

This makes Poweliks dangerous and nasty for multiple reasons. First, the fact that it carries no immediately detectable payload means that it is virtually invisible to nearly all conventional antivirus tools. Second, as it is running, it carries no typical viral signature that many if not most antivirus products are designed to detect. Thirdly, the information about Poweliks suggests its designed to open remote channels to servers in Russia for the remote delivery of payloads that could do next to anything.


Do I have Poweliks?


The symptoms of something being wrong with my laptop were fairly simple. Initially, I started noticing my laptop beginning to run s-l-o-w-l-y. Then, there began a regular series of "Host Process for Windows has stopped working" application crashes, mapping back to either MSHTML.DLL or IEFRAME.DLL. Additionally, my trusty Avira kept detecting HTML malware infections of "Rce.Gen" in various HTML files being created when no Internet browser was even running. Lastly, I noticed that the memory footprint of at least one svchost.exe process would skyrocket to as much as 2GB - even more at times - for no decent reason. Something was not right. At all.

I spent the better part of a day with various rescue tools and self-booting Linux-based repair CD's trying to find the source of my then-unknown problem. None of the tools I used noticed Poweliks. That's the scary part of this - Poweliks is, apparently, so new that most antivirus vendors have not yet caught up with it, meaning that lots of computers out there could be infected with it. Only a few bloggers and vendors have created tools that can start to deal with Poweliks.

What to do?!?


If you suspect a viral infection, but your antivirus tool doesn't show a problem, check out the FARBAR scan and recovery tool at Bleeping Computer. This tool will scan for a variety of rootkits and other malware, but it can also detect Poweliks. That's how I found it. Once FARBAR runs, review its logs files and see if it finds a "Poweliks!" signature hiding in your registry.

If you find Poweliks, go grab a copy of RogueKiller, from Adlice Software. This little gem is capable of targeting Poweliks and (hopefully) killing its roots, but its author is (as of this writing) updating it to find and kill variants he's already discovered. Mind you - this is not a tool for the faint-hearted. It will kill processes it recognizes as malevolent, then list in various tabs other system characteristics that may be indicative of a virus, but may be OK. It does a good job of making a basic assessment of which is which by coding entries in red (almost certainly bad news), orange (may or may not be bad news), or green (almost certainly OK). Highlight the entries, and hit the "Delete" button, and inspect the results. There's a forum with all manner of tutorials and info about using RogueKiller to rid yourself of Poweliks.

If you're feeling adventurous, you may be able to delete some of the core registry entries for Poweliks yourself. Doing so isn't possible using the conventional Windows registry editor, because the Poweliks dropper embeds a NULL value into the key name that conceals the evil payload, meaning that the standard API's used to handle the registry won't be able to find or delete it for you. To solve this part of the problem, go pick up a copy of yet another fantastic SysInternals tool called RegDelNull, which will search your various registry hives for entries with null elements and delete them.

Summary


Everything I've read in the last few days about Poweliks suggests to me that it is a new kind of virus, one we must all be aware of. While many current antivirus vendors haven't yet caught up to it, some have, and as Powerliks (and others like it) become more prevalent, they'll surely have to. I hope this rather quickly assembled batch of information and links can help you at least get started in the unfortunate event you've found yourself bitten by Poweliks. I'll post updated info here as I find it!!