Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Introducing myself - Powermet virus

  • Please log in to reply
1 reply to this topic

#1 resolute1


  • Members
  • 1 posts
  • Local time:04:29 AM

Posted 24 August 2017 - 08:24 PM

Just an office drone in Canada. Posting here, and trust that the powers that be will put the item into the proper forum as the reply it is intended to be:


We had the same problem re Behavior:Win32/Powermet.B!attk these last couple of days. Showed up out of no where (though we had been experiencing a Mirai malware -- both things being caught by Windows Defender (we run Windows 10 Pro).


The Powermet behaviour was experienced as a quickly vanishing command.com window appearing about 2 seconds (on our system) after logging in to a user account. Followed by Windows Defender identifying and quarantining the threat.


With help of an article about options for automatically starting programs in Windows after login, we were able to trace the item to a registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]. With an entry pointing to a 123.bat file in the windows/system32/wbem folder in our case (your location is probably different). That registry location is the location for automatically starting programs, though one should also check in the Startup folder and also using msconfig.


Among other things, the bat file invokes a small-sized command console; invokes the cacsl command over certain dll files [having to do with security considerations]; makes the bat file itself a system file and hidden; and then invokes a regsvr32 process pointing to an outside server [to run a particular program there]. (I saw a post on a Microsoft forum this morning re Powermet, with a different website being used -- not surprisingly, perhaps.)


We deleted the registry key and the related bat file, which got rid of the command window behaviour and Windows Defender running on login.


Scanning the bat file itself with an antivirus program did not produce a warning.






BC AdBot (Login to Remove)


#2 JoshRoss


  • Members
  • 88 posts
  • Gender:Male
  • Location:United States
  • Local time:04:29 AM

Posted 25 August 2017 - 06:46 AM

Thanks for the insight. Mirai is a botnet malware. Adds back doors to attempt and add the PC to its botnet network for future use. Glad you managed to sort it out and thanks for the insightful description.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users