TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.

Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.

As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.

On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).

Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.

Of course (unless the hardware option holds), this requires that the malware has already taken control of the system and has replaced the shutdown procedure with a mere going into sleep. The hardware option also requires significant system access.

But did it happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them.

For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.

As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).

What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.

The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).

If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.

As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).

Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.

A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.

But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.

There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.

See Forests excellent answer on how this can happen.

https://security.stackexchange.com/a/180107/121894

Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.

The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target.
A computer is powered off when the alimentation cable is disconnected or is connected but switched off.
The RTC wakeup is nice, but i suppose it could be used only on sleep mode.
In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management.
The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.

Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.

A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :

1. never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.




2. Make sure you have a very strong root user (administrator) password, and change this password as often as practical.