A 42-year-old man has been arrested for his involvement in infecting over 2,000 users with the DarkComet remote access trojan (RAT). The culprit was arrested by the Ukrainian police in the city of Lviv, in Western Ukraine.
In a press release, the Ukraine police acknowledged finding a series of significant things related to the DarkComet trojan on the suspect’s computer. This includes a modified administrator panel for the RAT, the malware’s installation files and screenshots of infected victims’ computers.
Although the Ukrainian police did not reveal the name of the culprit, they have published a step-by-step instruction to help users detect if they have been infected by the DarkComet trojan.
The instruction are as follows:
- Open a ‘Run’ dialog box by pressing Windows+R;
- Type the word ‘cmd’ in the box and press Enter;
- Type ‘netstat-nao’ in the command prompt box and press Enter;
- Search for a foreign IP address 126.96.36.199 on port 1604 or 81.
If users find the given IP address in the search list, then it means they have been infected by the DarkComet trojan. The foreign IP address is marked as a DarkComet trojan command-and-control server on Shodan.
The instruction manual speaks about how to mitigate the attack. Once a victim detects the malicious IP address, then he/she should either wipe or reinstall the operating system. Users are also advised to install a good antivirus in order to remove the malware.