01.21.15

“Je suis Charlie” is also used by cyber criminals!

In our previous blogs we mention that cyber criminals continue using newsworthy cases of social engineering to spread their attacks.

Almost every famous event on Earth has been used to perform malicious attacks and scams.

The events that cyber criminals like to use most are tragic events such as terrorist attacks.

12345

Like “Boston marathon bombing” that has been used to run exploits while showing videos.

Nowadays Charlie Hebdo tragedy in France is also used for cyber threat.

This time, new variant of “Win32/DarkKomet Trojan” was distributed by Twitter (social network) by using “#JeSuisCharlie” hashtag.

Malicious links that contain Trojans are under this hashtag.

 

Here are the technical details of this Trojan:

Win32/DarkKomet.C

  • What is it?

5678

Win32/DarkKomet.C is a backdoor Trojan, it attempts to send stolen data from infected computer to remote server.

Enables the author to send, receive, and delete files in the computer.

It steals sensitive information and passwords which stored in the computer or on the browsers.

Has an icon like the one in the picture above.

 

When Win32/DarkKomet.C first runs, the following image appears:

12345

 

  • What are other names for it?

Trojan.GenericKD.1928282

Trojan.DL.Waski!

Trojan.Win32.Staser.aEz

Win32/TrojanDownloader.Waski.F

Trojan.Win32.Staser

Trojan.Win32.Staser.aojk

VirTool:Win32/Injector

 

  • How did I get it?

There are possibilities to get Win32/DarkKomet.C Trojan during download of various peer-to-peer (P2P) and file sharing programs. This is a security risk which can make the computer susceptible to a malware infections, remote attacks, exposure of personal information, and identity theft threats.

 

 

  • How does this virus affect my computer?

Win32/DarkKomet.C Trojan copies itself to strategic places, drops other files, modifies registry values and keys and attempts to access remote servers.

Complete modifications in details:

Win32/DarkKomet.C copies itself with random name:

For example:

In directory: %Documents and Settings%\%UserName%\Local Settings\Temp

File name: “svchost.exe”

 

Win32/DarkKomet.C drops the following file with random name:

 

In directory: %Documents and Settings%\%UserName%\Cookies

File name: “index.dat”

 

In directory: %Documents and Settings%\%UserName%\Application Data

File name: “4763869.bat”

 

Note: %Documents and Settings% is a variable location and refers to the current user’s Documents and Settings folder. The malware determines the location of the current Documents and Settings folder by querying the operating system. A typical location for this folder would be: C:\Documents and Settings.

 

Win32/DarkKomet.C makes the following registry modifications to lower the computer internet security:

In registry subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings

Sets value: “MigrateProxy”

With data: “1”

 

In registry subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings

Sets value: “ProxyEnable”

With data: “0”

 

In registry subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ZoneMap

Sets value: “ProxyByPass”

With data: “1”

 

In registry subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ZoneMap

Sets value: “InternetName”

With data: “1”

 

In registry subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ZoneMap

Sets value: “UNCAslntranet”

With data: “1”

 

In registry subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ZoneMap

Sets value: “AutoDetect”

With data: “1”

 

Network Behavior:

Win32/DarkKomet.C tries to get access to the following:

90.96.77.57 Port 1500

 

  • What should I do next?

The comprehensive Total Defense Anti-Virus solution offers integrated virus and spyware combating capabilities, guarding your PC from worms, Trojans, and other malware that can slow down or even damage your PC.

You can contact our research team at “virus@totaldefenselabs.com” for full analysis and other information.

In any case, we advise you to visit our website and check the various protection applications at www.totaldefense.com.