DarkMegi rootkit - sample (distributed via Blackhole) Archived: 2026-04-05 17:29:22 UTC Update April 20, 2012 Kimberly wrote an excellent analysis of this sample. Please go to Stopmalvertising to read This is a "DarkMegie" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article "Darkmegi: This is Not the Rootkit You’re Looking For" by Craig Schmugar, it is anything but quiet and stealthy. In fact, it makes so many system changes that it is hard to cover it all in a quick post. Indeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of traffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates so I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please share,  I will link to. Size: 77312 MD5:  6C8F9658A390C24A9F4551DC15063927 Download Download  (email me if you need the password scheme)   Download the modified / created files and analysis data Download pcap C:\Windows\System32\drivers\com32.sys                9728           4399b8a60977814197feae67c02a7ac2 http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html Page 1 of 6 C:\Windows\System32\drivers\RCX50E3.tmp        26224256    9f32c51764f579512810b7ab3de1a91a C:\Windows\System32\drivers\com32.sys              26224256     dd313b92f60bb66d3d613bc49c1ef35e C:\Windows\System32\com32.dl                           45056            25cfb72df8a30cbb7e6ee852bc31c50f C:\Windows\System32\RCX5B11.tmp                   31506432     2f00e0927c07bc44d9b79ccbe567f398 C:\Windows\System32\del043.bat                          86               1a1e7855edc0afa6624080d60da8bf44 Traffic It is as active as a click fraud or DDoS bot but does not fit these categories. I am not quite sure what it is doing, please look and us know :) http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html Page 2 of 6 Some of the traffic [process 8] 65.55.253.27 192.168.254.192 GET /c.gif?evt=br&rid=4571d83250544049bfc2ee88060f6bc8 &exa=&cts=1334748967640&expac=&fk=W&gp=P&optkey=de fault&clid=23A3C63D37E16EEA2397C50633E16E45&cp=def ault&di=340&pi=7317&ps=95101&mk=en-us&pn=US+HPMSFT 3Wdefault&pid=6901517&su=http%3A%2F%2Fwww.msn.com% 2Fdefaultwpe3w.aspx&pageid=690151710&ce=1&hl=cplus &cm=head%3Ecb1 [process 8] 65.54.81.211 192.168.254.192 GET /i/87/DEC3F3D671E6CC76B09340612A38.jpg [process 8] 207.46.193.176 192.168.254.192 GET /action/MSN_Homepage_Remessaging_111808/nc?a=1 [process 8] 207.46.193.176 192.168.254.192 none [process 8] 208.44.23.25 192.168.254.192 none [process 8] 208.44.23.25 192.168.254.192 GET /b?c1=2&c2=3000001&c7=http%3A%2F%2Fwww.msn.com%2F% 3Focid%3Diehp&c9=&rn=1334748958175 http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html Page 3 of 6 [process 8] 65.55.239.146 192.168.254.192 GET /c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us& tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx&ri d=4571d83250544049bfc2ee88060f6bc8&rnd=13347489581 76&rf=&scr=1024x768 [process 8] 65.55.239.146 192.168.254.192 GET /c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us& tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx&ri d=4571d83250544049bfc2ee88060f6bc8&rnd=13347489581 76&rf=&scr=1024x768&MUID=23A3C63D37E16EEA2397C5063 3E16E45&cb=1cd1d576b2f13a0 [process 8] 65.54.81.211 192.168.254.192 GET /i/5E/4B835E56AC3C8535DB16275B4BAF4.jpg [process 8] 65.54.80.242 192.168.254.192 GET /i/BB/756A1C963A72E4AFBC36501B512725.jpg [process 8] 65.54.81.211 192.168.254.192 GET /i/E2/F757C6DFF15796123FA81CF7DCCF.jpg [process 8] 65.55.239.146 192.168.254.192 GET /c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us& tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx&ri d=4571d83250544049bfc2ee88060f6bc8&rnd=13347489581 76&rf=&scr=1024x768&RedC=c.msn.com&MXFR=23A3C63D37 E16EEA2397C50633E16E45 [process 8] 65.55.239.146 192.168.254.192 none [process 8] 23.66.231.58 192.168.254.192 GET /qsonhs.aspx?form=MSN005&q= [process 8] 23.66.231.58 192.168.254.192 none [process 8] 65.54.81.185 192.168.254.192 GET /CIS/77/000/000/000/028/440.swf?fd=www.msn.com [process 8] 65.54.81.185 192.168.254.192 GET /CIS/18/000/000/000/024/175.jpg Automatic scans Virustotal SHA256:     a2c176ef3cc343194207e33acc19d5f8cb083a3c387a0404bd8f9d6bd29cfd6f http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html Page 4 of 6 SHA1:     c1af1fa6937097762824d0db039777ff35577727 MD5:     6c8f9658a390c24a9f4551dc15063927 File size:     75.5 KB ( 77312 bytes ) File name:     DarkMegiSample File type:     Win32 EXE Tags:     yoda yodaprot Detection ratio:     34 / 42 Analysis date:     2012-04-17 08:22:42 UTC ( 1 day, 3 hours ago ) More details Antivirus     Result     Update AhnLab-V3     Dropper/Rootkit.77312     20120417 AntiVir     HEUR/Crypted     20120417 Antiy-AVL     Trojan/Win32.Agent.gen     20120417 Avast     Win32:Malware-gen     20120417 AVG     PSW.Agent.ASED     20120417 BitDefender     Trojan.Generic.KDV.503006     20120417 ByteHero     -     20120417 CAT-QuickHeal     TrojanSpy.Agent.bwtk     20120417 ClamAV     PUA.Packed.YodaProt     20120417 Commtouch     W32/Heuristic-210!Eldorado     20120417 Comodo     TrojWare.Win32.TrojanDownloader.Agent.accn     20120417 DrWeb     Trojan.PWS.Gamania.34539     20120417 Emsisoft     Trojan.SuspectCRC!IK     20120417 eSafe     Suspicious File     20120415 eTrust-Vet     -     20120417 F-Prot     W32/Heuristic-210!Eldorado     20120416 F-Secure     Trojan.Generic.KDV.503006     20120417 Fortinet     W32/Agent.BWTK!tr     20120417 GData     Trojan.Generic.KDV.503006     20120417 Ikarus     Trojan.SuspectCRC     20120417 Jiangmin     TrojanSpy.Agent.uzc     20120417 K7AntiVirus     Riskware     20120416 Kaspersky     Trojan-Spy.Win32.Agent.bwtk     20120417 McAfee     Artemis!6C8F9658A390     20120416 McAfee-GW-Edition     -     20120417 Microsoft     Trojan:Win32/Meredrop     20120417 NOD32     a variant of Win32/CsNowDown.C     20120417 Norman     W32/Troj_Generic.ASBJ     20120416 nProtect     Trojan/W32.Agent.77312.VC     20120417 Panda     Generic Trojan     20120416 PCTools     Downloader.Darkmegi     20120417 Sophos     Mal/Packer     20120417 http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html Page 5 of 6 SUPERAntiSpyware     -     20120402 Symantec     Downloader.Darkmegi     20120417 TrendMicro     Cryp_Yodap     20120417 TrendMicro-HouseCall     Cryp_Yodap     20120417 VBA32     TrojanSpy.Agent.bwtk     20120416 VIPRE     Trojan-Spy.Win32.Agent Source: http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html Page 6 of 6 Download the Download pcap modified / created files and analysis data C:\Windows\System32\drivers\com32.sys 9728 4399b8a60977814197feae67c02a7ac2 Page 1 of 6