DarkComet Rat

I was just reading www.raymond.cc and saw a post about an infection by DarkCometRat. The author of the program has written a removal program to scan your system for any infection. I scanned my system and sure enough it says I am infected.
Is this something new that avast should be concerned about?
Should I trust the scan.
I have always trusted www.raymond.cc in the past.

http://www.raymond.cc/blog/detect-remove-darkcomet-rat-malware-syrian-government/
http://www.darkcomet-rat.com/dcremover.dc

if you suspect you are infected, follow this guide and attach logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

What infection did the program say you had. Did you run it normally or as administrator?

Please see my thread regarding this issue on the Raymond.cc forum:

http://www.raymond.cc/forum/spyware-viruses/33219-dark-comet-remover-tool-security-center-disabled-infection.html

I read the some blog and even though I’ve never installed Darkcomet, I decided to use the tool. Running it normally produced no infection. However, when I ran it as administrator, it said I had something called a “security center disabler” infection. Perhaps the techs at Avast could download the tool and run it as administrator and see if they come up with the same conclusion. The download link for the tool is in the first post. What I did notice is that there are override keys for Antivirus, Antimalware, and the Firewall in my registry similar to this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\AntivirusOverride!=dword:0

My Windows security center service is running. Could this be a false positive? I’ve read on the Spybot forum that these keys appear when one loads their own security programs. Could the techs here look at the Darkcomet tool because Avast, Malwarebytes and Superantispyware do not find any infections. Here’s an image of what the Darkcomet remover tool results looked like when run normally and as administrator.

http://i.imgur.com/HSYTW.jpg

As I’ve stated on the Raymond.cc forum, some posters had similar results here:

http://malwaretips.com/Thread-Darkcomet-Remover-Tool

Darkcomet uses an “odd” trick in order to bypass the firewall.It actaully,injects its communication code to a legitimate process,which is IEXPLORE.EXE.It is really easy to understand whether or not you are infected.
Follow these steps:
1)Download process explorer from here http://technet.microsoft.com/en-us/sysinternals/bb896653
2)Open process explorer and under the “process” button,press the “white button” as shown below(highlighted),or simply press CTL+L.Now click on iexplore,now look for the mutants,IF you can identify the backdoor’s mutex,you are probably infected.The backdoor’s mutex is shown below,second highlighted line.

http://img576.imageshack.us/img576/6831/0316121520darkcometan36.png

It is usually called DC-Random numbers etc, for example DC-123F4.Dc stands for DarkComet

Hi Left123,

Thanks for that very valuable info. Just a question. Wouldn’t it be therefore advisable to pre-run it in the sandbox?

polonus

Well yes i guess,i did my tests on a virtual machine.
Another method : Right click on IExplorer.exe>properties>TCP/IP.If you see any connections,i have bad news for you ;D

http://img204.imageshack.us/img204/5219/0316121520darkcometan35.png

Hi Left123,

DarkComet Rat Download site is being associated with unknown_html_RFI_shell and TR/ATRAPS.Gen malware.
See here: http://hosts-file.net/default.asp?s=www.darkcomet-rat.com%2F
classification: EMD
EMD - sites engaged in malware distribution
This classification is assigned to website’s engaged in the distribution of malware (e.g. adware, spyware, trojans and viruses etc).

Sites with this classification typically either contain files (e.g. cracks, keygens, adware, spyware, trojans, viruses et al) or lead to such via (for example) “fake scanners” or other social engineering and misleading tactics. This includes the activities of rogue Internet Service Providers (ISPs) that host other sites to which the EMD classification applies.
Even the remover is not beyond suspicion: https://www.virustotal.com/url/76d538c26639e8ed6a0c5ef2dec39844ab9f4e96ffcde28c037e0ba6bbbe1b75/analysis/1336313749/
See: http://anubis.iseclab.org/?action=result&task_id=1888482bbfa99c39449eda88038c30b59&format=html
What I spotted there at first glance to be suspicious in this analysis:
aspects of ecops_virus like behavior -
unexpected heap corruption issue -
firewall disabling properties via HKLM\​SOFTWARE\​CLASSES\​CLSID\​{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31}\​INPROCSERVER32 %SystemRoot%\​system32\​zipfldr.dll -
UltaSurf Zone Settings -
SPR Fraud ProviderId.

Comodo Instant Malware Analysis could not handle it. Tool gives unexecutable as an AutoAnalysis Verdict.

But given clean here:

htxp://darkcomet-rat.com/downloads/DarkCometRemover.zip redirects to htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip

Checking: htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip
Engine version: 7.0.1.2210
Total virus-finding records: 2837272
File size: 951.90 KB
File MD5: 70fc6e16151a54a04001a60cbac04d1c

htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip - archive ZIP

htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe packed by FLY-CODE

htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe packed by FLY-CODE

htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe - archive ZLIB

htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe/data001 - Ok
htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe/data002 - Ok
htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/DarkCometRAT Remover.exe - Ok
hxtp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip/DarkComet Remover/readme.txt - Ok
htxp://www.darkcomet-rat.com/downloads/DarkCometRemover.zip - Ok

polonus