From what they say it's executing a "Set-Property" on a few things under HKCU, so that likely doesn't require Administrative rights. It looks like the worm uses an executable to trigger PowerShell and execute the script, so it likely invokes it with a session specific execution policy of "Unrestricted"
DAMIEN SOLODOW Systems Engineer 317.447.6033 (office) 317.447.6014 (fax) HARRISON COLLEGE -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rod Trent Sent: Friday, March 28, 2014 2:47 PM To: [email protected] Subject: RE: [NTSysADM] This is a new and interesting one (to me, anyway) One thing I'm not sure on in that...PowerShell runs in two modes, just like other apps and services: logged-on user and administrative user. They never mention in that article whether or not administrative rights are required for the malware to make those changes. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Friday, March 28, 2014 2:10 PM To: [email protected] Subject: Re: [NTSysADM] This is a new and interesting one (to me, anyway) Very interesting, but not hugely surprising. A ubiquitous and very powerful scripting language is bound to be abused, and it's going to be difficult to guard against, especially for those with admin privileges. Kurt On Fri, Mar 28, 2014 at 10:22 AM, James Rankin <[email protected]> wrote: > http://blog.trendmicro.com/trendlabs-security-intelligence/word-and-ex > cel-files-infected-using-windows-powershell/ > > -- > James Rankin > --------------------- > RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The > Virtualization Practice Analyst - Desktop Virtualization > http://appsensebigot.blogspot.co.uk
