The Darkcomet virus is a malware that is still being developed. Test versions of it have been used in hacker attacks worldwide. Read our in-depth removal article to find out more about it.
|Short Description||The DarkComet virus is a typical ransomware in development that is currently being made to target computer users worldwide.|
|Symptoms||The victims may be impacted with low overall system performance and will see the lockscreen instance once all built-in components have completed executing.|
|Distribution Method||Spam Emails, File Sharing Networks, Exploit Kits|
|Detection Tool|| See If Your System Has Been Affected by DarkComet |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss DarkComet.|
DarkComet Virus – Infection Spread
The DarkComet virus code can be integrated into various files and distributed using different strategies. Usually the choice is dependent upon the scope of intended targets. At the moment there is no information available about the person or people behind it
Strains of the virus are being distributed through email messages. The hackers use social engineering techniques in order to coerce the computer users into interacting with the malware instance. The most common way is to send hyperlinks that lead to hosted instances of the virus. The criminals tend to acquire images and text from legitimate sites to manipulate the victims. The other way is to offer the virus code as file attachments. A related mechanism is to bundle the code in payloads such as the following:
- Malware Documents — The DarkComet virus code can be embedded into various types of documents: presentations, rich text documents and spreadsheets. Once they are opened the victims will be greeted by a notification prompt that asks them to enable the built-in scripts (macros). If this is done the malware is downloaded from a remote location and executed on the local system.
- Software Installers — The criminals can embed the Darkcomet malware code into software installers. Usually the targets are popular applications such as system utilities, creative apps and computer games.
The hackers behind the ongoing attack can create fake download portals that impersonate legitimate sites. The DarkComet virus strains are uploaded to them in their various forms. Other Internet places include file sharing networks such as BitTorrent trackers and other similar P2P software.
Another strategy is to utilize browser hijackers that represent dangerous plugins for web browsers. They are intended to redirect the users by fooling them into thinking that they are installing a useful addition. This is done by posting elaborate descriptions and utilizing fake user reviews and developer credentials. Usually they are made compatible with the most popular browsers: Mozilla Firefox, Google Chrome, Internet Explorer, Opera, Safari and Microsoft Edge.
DarkComet Virus – Technical Data
The DarkComet virus was recently discovered in an ongoing attack campaign. It appears to be a testing malware that does not seem to hold any code sourced from the famous malware families. Any follow-up versions may contain additional modules and components.
We expect to see an information gathering process that can be started once the infection has infiltrated the victim computer. It is usually programmed into extracting data that is usually classified into two groups:
- Personal Data — The engine is programmed into harvesting strings related to the victims identity: their name, address, geolocation, interests, passwords and account credentials.
- Anonymous Metrics — The DarkComet virus also retrieves data that is used for statistical purposes such as the data and time of infection, the installed hardware components and certain operating system values.
Using the gathered data the malware can execute a stealth protection component. It is intended to bypass anti-virus products, sandbox environments and other software that can interfere with its execution. Advanced strains can also be programmed into deleting themselves in order to evade detection.
The next step would be to cause system changes, they can be minor changes or critical operating system modifications intended to completely damage the operating system. There are several areas that the hackers can impact:
- Data Recovery — The malware code can delete all found Shadow Volume Copies which can severely impact data recovery. In such cases the victims can depend on a professional recovery solution, refer to our instructions for further instructions.
- Windows Registry — The virus can cause modifications to the entries in the Windows Registry. Changes to installed applications entries can result in problems with their execution. If operating-system related registry entries are impacted, then overall computer performance can suffer.
- Boot Options — The virus can hijack the boot menu and remove the possibility to engage the recovery startup menu.
The Darkcomet virus has been found to contain a batch script that can interact with a hacker-controlled server. Such connections can be used into delivering payloads or controlling the malware in a manner similar to Trojans.
Follow-up versions can be programmed with additional malware as well.
Once all predefined behavior has complete a screenlocker instance is launched which reads the following:
Your PC has been Hacked by CryptL0cker
Your PC has been infected by Crptol0cker.
Your Security is not good.
Click on Decrypt to Decrypt your PC from CryptL0cker.
You must type in a Key to become the Key send a -Email to: [email protected]
The captured samples so far do not provide a working lockscreen. As a result the application window can be closed safely without any consequences.
Updated versions of the Darkcomet virus can also come with a dangerous ransomware component that can be used to encrypt sensitive user data and extort the victims for a fee.
Remove DarkComet Virus and Restore Your Files
If your computer got compromised and is infected with the DarkComet ransomware virus, you should have some experience with removing viruses before tampering with it. You should get rid of the ransomware fast before it can spread further on the network and encrypt more files. The recommended action for you is to remove the ransomware completely by following the step-by-step instructions written below.