Backdoor.Win32.DarkKomet

Malware in this family consists of DarkComet, a program designed for remotely controlling or administering a victim computer. The connection parameters are encrypted in the program’s executable class=”most_attacked_countries”.

The program performs the following functions:

• Obtaining information about the infected computer.
• Controlling processes.
• Interpreting commands sent remotely.
• Obtaining a list of windows.
• Providing remote desktop access.
• Deleting programs.
• Managing system services.
• Modifying the system registry.
• Running JavaScript / VBScript scripts sent remotely.
• Modifying files via the built-in file manager.
• Capturing video and audio from a webcam or microphone.
• Saving keystrokes to a file (keystroke information is not encrypted and is stored in the folder %APPDATA%dclogs in files with the name format YY-MM-DD.dc).
• Acting as a SOCKS proxy server.
• Redirecting IP addresses and ports.
• Capturing clipboard contents.
• Shutting off and restarting the operating system.
• Downloading, sending, and running files.
• Sending keystroke logs to a remote FTP server.

Top 10 countries with most attacked users (% of total attacks)

* Percentage among all unique Kaspersky users worldwide who were attacked by this malware