Darkmegi Windows Rootkit Malware Traffic Sample PCAP file download
Darkmegi “drops its kernel driver to com32.sys in the Drivers directory. This rootkit drops a usermode component, com32.dll, which gets injected into explorer.exe and iexplore.exe. It also hooks the Dispatch table of ntfs.sys [IRP_MJ_CLOSE, IRP_MJ_CREATE, IRP_MJ_DEVICE_CONTROL] and fastfat.sys to prevent applications from reading (or scanning) the com32.dll and com32.sys files”, Schmugar related.
Once Darkmegi has compromised the operating system, attempts to copy or read protected files are rejected.
In addition, the malware pads its files with 25MB of garbage data to appear legitimate, since most malware is under 1MB, the McAfee researcher explained