[HKEY_CURRENT_USER\Software\Classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32] (Default)="rundll32.exe javascript:\\\..\\mshtml,RunHTMLApplication \";eval…….” a=""#@~^XHoAAA=......”

Last August, we wrote about POWELIKS's malware routines that are known for hiding its malicious codes in the registry entry as part of its evasion tactics. In the newer samples we spotted, malware detected as TROJ_POWELIKS.B employed a new autostart mechanism and removes users' privileges in viewing the registry’s content. As a result, users won’t be able to suspect that their systems are already infected by the POWELIKS malware. This new autostart technique is fairly new to the threat landscape, a technique that is not currently covered by Autoruns for Windows . This Windows utility shows all files and registries that will execute upon Windows startup. When executed, POWELIKS creates the following registry entry:Normally, users will see the following screenshots via the registry editor:

Figure 1: The created key of Poweliks

Based on the above screenshot, it would seem that the malware isn't present in the registry. However, the contents of the POWELIKS malware is actually hidden and successfully hides its code by removing the user’s permission in the specific registry.

Figure 2: User’s permission profile

Open Registry Editor Go to the registry key HKCU\Software\Classes\clsid On the left panel, right click {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} Highlight the user name In the “Allow” section, select “Full Control” and “Read” (see Figure 3) Click “OK” to save changes Close Registry Editor, then open it again to reflect the changes

Users can navigate their way around this malware technique and view the registry content by adding the user name or group to the registry key's permission section. This can be done via the following steps:

Figure 3: Updated user’s permission profile

Once done, the malware will now be visible as shown below:

Figure 4. The visible malware code

When the malware creates an entry in HKCU\SOFTWARE\Classes\CLSID, Windows reflects this entry in HKCR\CLSID as shown below.

Figure 5. The updated HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} key

CLSID is not a known autostart entry. So, why did cybercriminals opt to use this registry and not the typical autostart entries? This CLSID is for Window’s thumbnail cache, which Windows calls whenever a thumbnail for any file is needed - for images, audio, etc. As such, when this CLSID is called, it will execute the entry in HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 to show the thumbnail of the file as well as the entry of POWELIKS in this key. This in turn, loads POWELIKS every time, as seen in the screenshot below:

Figure 6: POWELIKS uses dllhost.exe to load itself on the system. Each dllhost.exe indicates a running POWELIKS.

Download and execute Microsoft’s Process Explorer Restart in Safe Mode. Select the latest dllhost.exe mother process (see Figure 7) Figure 7: Terminating the dllhost process Right click and select “Kill Process Tree"" Open Registry Editor (Run > regedit.exe) In the left panel, go to HKCU\SOFTWARE\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} Add Permissions to the user (see instructions on Adding Permission) In the right panel, delete the registry values “Default” and “a”. The whole CLSID cannot be deleted because of the presence of the blank key. If this is successful, the registry should look like this: Figure 8: Clean registry entries In the event that these values are recreated, it just means that POWELIKS is still running. Repeat step 3 to ensure that no dllhost.exe is still running. Close Registry Editor

F2E179CB7307DF6190A783D5B72F1905C6F3BA3B - TROJ_POWELIKS.B

While this threat is continuously evolving as seen in the new evasion tactic, it can be manually removed from the systems via the following steps:The POWELIKS malware poses serious risks as its routines prevent it from being detected and removed from systems. In addition, one of its payloads is click fraud. To check if your systems are infected by this threat, perform the suggested removal actions on your systems. We also recommend users to install a security software that can detect such malicious files. Trend Micro protects users from this threat via the Trend Micro Smart Protection Network that detects the said malware.The following is the related hash for this threat:With additional analysis from Ohlord Gagto"