Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: "Power Worm" PowerShell based Malware - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
"Power Worm" PowerShell based Malware

In the past few years one of the major improvements in the Windows environment was PowerShell. With Unix-style scripting capabilities automating windows administration tasks become possible. One of the major advantages of PowerShell is that it’s support most of Microsoft products from MS Office to Enterprise level applications such as MS SharePoint and MS Exchange.

But is it possible to use PowerShell for malicious purpose? If you remember the Melissa which was written in MS Office macro but that was in 1999 is it still possible?  

According to TrendMicro[1] a new malware has been discovered that written in PowerShell. CRIGENT (aka Power Worm), TrendMicro has detected two malicious files (W97M_CRIGENT.A and X97M_CRIGENT.A) .These files arrived in an infected Word or Excel file.

The malware will download and install tor and Polipo then connect to Command and Control server. The malware collect some information from user’s machine (such as IP address, User account privileges Version, latitude...) and send it to its C&C server. In addition Power worm will infect other Word/Excel files, disable macro alerts and it will downgrade the infected file from Docx/xlsx to Doc/xls.  

The best way to stop such a malware is disabling macro and don’t open any file from untrusted source.



[1] http://blog.trendmicro.com/trendlabs-security-intelligence/word-and-excel-files-infected-using-windows-powershell/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29

Basil

56 Posts
ISC Handler
You might want to check the URL on your sources Basil... oh, and quit composing your WWW in Word :p

"file:///C:/Users/Basil/Documents/powershell%20worm%20diary.docx#_ftnref1" ?
lansalot

18 Posts Posts
Hi,

You may also want to read the excellent analysis that Matt Graeber did:

http://www.exploit-monday.com/2014/04/powerworm-analysis.html
Emin

6 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!