Trojan:BAT/Poweliks.A is a detection of a malicious Poweliks Trojan

Trojan:BAT/Poweliks.A is a name of a Trojan[1] horse returned to PC users by an AV-engine. This name can be used interchangeably with the following: Poweliks Trojan, Trojan.Poweliks, Trojan.Poweliks!gm, SONAR.Poweliks!gen1 and similar. The virus stands out from the others since it's is not detectable in the form of a file.[2] It resides in Windows Registry and relies on Watchdog maintenance.
| Name | Trojan:BAT/Poweliks.A |
|---|---|
| Type | Trojan |
| Related to | Poweliks Trojan |
| Also recognized as | TROJ_POWELIKS.A, Trojan.Poweliks.A, Trojan.Win32.Powerliks.a, Trojan:Win32/Powessere, ATrojan.Win32.Powerliks.a |
| Danger level | Medium. Initiates multiple system's changes, but does not harm the system directly. The risk – can infect the system with malware via dangerous ads |
| Download FortectIntego and run a scan in Safe Mode with Networking environment to get rid of Trojan:BAT/Poweliks.A | |
First detected in 2014, the malware mutated in many ways, but most of AV engines are still struggling to detect and immunize it successfully. Trojan:BAT/Poweliks.A malware does not have related files. That's why it's known as Fileless Trojan. Once executed, the malware uses various registry tricks, to name but a few:
- Creates the following entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”(default)” = “[ENCRYPTED JAVASCRIPT]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”[NON-ASCII STRING]” = “rundll32.exe javascript:\”\..\mshtml,RunHTMLApplication \”;document.write(\”\74script language=jscript.encode>\”+(new%20ActiveXObject(\”WScript.Shell\”)).RegRead(\”HKCU\\software\\microsoft\\windows\\currentversion\\run\\\”)+\”\74/script>\”)”
- Uses a special naming method.
- Hijacks CLSID entries (Class ID, which is a 16-byte value that identifies an individual object). Targets the {FBEB8A05-BEEE-4442-804E-409D6C4515E9}, {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}, and {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} entries in particular. This way, it can run any time the system starts running or when the user of the infected PC opens specific folders;
- Misuses a legitimate rundll32.exe file to execute JavaScipt code, which is further used to compromise data on Windows Registry;
- Installs and runs Watchdog process, which maintains the Trojan and protectsts it from removal. It is capable of recovering the deleted virus instantly.
- Watchdog process also changes access rights to keep Poweliks Trojan undetected under Windows Registry. For this purpose, it uses unprintable characters;
- Builds a wall not to be detected within Registry. Most AV engines fail to remove Trojan:BAT/Poweliks.A virus since they cannot access the LocalServer32 subkey where the payload of the malware roots. For this purpose, it uses 0x06 byte and the 0x08 byte mechanism, which is not recognized as a Unicode printable character. Consequently, the LocalServer32 subkey becomes unreadable.
In short, specialists find it difficult to remove Trojan:BAT/Poweliks.A Trojan due to the intricate performance mechanism it uses. Once the Powerliks gets inside, its payload decrypts targeted values, runs PowerShell scripts to take control over Watchdog process and misuses rundll32.exe file to infect Windows Registry.
Trojan is a malicious cyber infection that can cause serious problems. They are often used for the distribution of ransomware, spyware, and other malware. Thus, NoVirus.uk[3] team urge people to remove Trojan:BAT/Poweliks.A without a delay using FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.
Nevertheless, this trojan is not the most dangerous infection in the wilds. It's a tool employed by hackers who seek to generate pay-per-fraud activities to increase income from advertising. It is developed in a way to display keyword-based ads. It initiates a fake search by typing in default keywords and the browses for the required URLs. The minimum ads the
Trojan:BAT/Poweliks.A Trojan is requested to load is 3,000 by default, though not a single one will be revealed to the user of the infected PC. However, their content is not being investigated, so there's a high risk of getting infected with ransomware, spyware, keylogger or another severe cyber infection via trojanized invisible ads.

Spam email allows Trojan to circulate on the web since 2014
According to cyber security experts, the file-less Trojan is most frequently distributed via malicious spam email attachments. Typically, they are disclosed in the form of Doc file from a shipping company USPS. It claims to contain package-related information.[4]
In this case, the only way to secure your system from infection is to report such an email as spam and remove it asap. Keep in mind that legitimate companies are not distributing suspicious-looking emails with attachments unless the client is informed about that in advance.
Besides, the virus can use rogue software updates or infected ads to get installed on a target system. Watch out for prompts to update FLV Player, Google Chrome, Flash Player, Java, and similar software.
Remove Trojan:BAT/Poweliks.A from the system and restore Windows Registry easily
Tech-savvy people may find it easy to remove Trojan:BAT/Poweliks.A virus manually at first, but the process is more complicated than it initially might seem. The process requires a careful termination of multiple processes, the removal of the virus, and a restoration of Windows Registry entries.
To initiate Trojan:BAT/Poweliks.A removal successfully, designate this task to a professional anti-virus program, such as FortectIntego or SpyHunterCombo Cleaner. The first program recommended performs as a robust optimization tool. It contains a full database of Windows system's files and is capable of fixing Windows Registry. Thus, we would strongly recommend relying on Reimage.
Was this guide helpful?
Be the first to comment