Can a malware power on a computer?
TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.
Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.
As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.
On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).
Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.
So:
- there is RTC powerup hardware support, or more (integrated management systems, common on enterprise computers)
- the malware must already have taken control of the system, since RTC functions usually require administrator/root level access.
- RTC powerup HW support not present, or not used:
- if the malware has taken control of the system, it can have replaced the shutdown procedure with a mere going into sleep, and set up things to exit sleep mode at a later time.
But did either of these options happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them. They usually go with the third and easiest option:
- some of the usual automatic power-up or logon sequences (autoexec, boot scripts, scheduled tasks, run services and so on) is subverted so that additional code, namely, the malware, is silently run.
For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.
As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).
What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.
The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).
If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8)
system command.
As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).
Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.
A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.
But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.
There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.
See Forests excellent answer on how this can happen.
https://security.stackexchange.com/a/180107/121894
Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.