Follow:

 

Worm:Win32/Flame.gen!A


Worm:Win32/Flame is a multi-component worm that uses a variety of actions to perform its malicious payload, which also includes gathering information from your infected computer.

Worm:Win32/Flame components have been observed using stolen certificates to facilitate the malware's attack. On June 3, 2012, Microsoft reported on the revocation of this certificate; you can read more about this in the following article: http://technet.microsoft.com/en-us/security/advisory/2718704



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Worm:Win32/Flame is a multi-component worm that uses a variety of actions to perform its malicious payload, which also includes gathering information from your infected computer.

Worm:Win32/Flame components have been observed using stolen certificates to facilitate the malware's attack. On June 3, 2012, Microsoft reported on the revocation of this certificate; you can read more about this in the following article: http://technet.microsoft.com/en-us/security/advisory/2718704

Whilst complex, the malware has thus far only been observed on a relatively small number of computers, mainly in the Middle-East. This suggests the toolkit (used to distribute the worm) is used in targeted attacks.

Installation

The original method of infection is speculated to be via targeted attacks.

The main component of the malware, mssecmgr.ocx, is a DLL which conforms to the requirements of LSA Authentication packages.

Worm:Win32/Flame.gen!A creates the following registry key to ensure its execution when you start Windows:

HKLM\CurrentControlSet\Control\Lsa\Authentication Packages

Additional components

The main component, mssecmgr.ocx (detected as Worm:Win32/Flame.gen!A), may create the following files:

  • msglu32.ocx
  • nteps32.ocx
  • soapr32.ocx
Spreads via...

As the malware can download various different modules, which extend the malware's original functionality, it may spread via any number of methods.

For instance, if the malware has been instructed to do so, with the right component installed, it can spread by Autorun to removable drives.

Payload

As the malware can download various different modules, which extend its original functionality, the malware could serve almost any malicious purpose.

Initial analysis of this worm indicates that, with the related component installed, the following functionality is available it for it to do the following:

  • Capture screenshots of various software
  • Log keystrokes

Contacts remote host

Once active, the malware contacts one of many possible domains in order to receive commands and possibly download additional components.

Components and configuration files we have seen use the following names:

  • advnetcfg.ocx
  • boot32drv.sys
  • ccalc32.sys
  • dvnetcfg.ocx
  • rpcns4.ocx

Depending on the component, they may be detected as Worm:Win32/Flame.gen!B or Worm:Win32/Flame.gen!C.

Additional information

Vintage

Due to its age, many of the malware components only appear to function properly on certain Windows versions prior to Vista, such as Windows XP and Windows 2003.

Uses Lua

The worm uses Lua, a powerful scripting language, to script its attack methods. In the wild, we have observed the worm using the following attack features:

  • AUTORUN
  • BEETLEJUICE
  • BOOST
  • BOOT_DLL_LOADER
  • BUNNY
  • CMDROUTER
  • CRUISE
  • DBQUERY
  • DRILLER
  • EUPHORIA
  • FBS
  • FROG
  • GADGET
  • GATOR
  • HEADACHE
  • INFECTMEDIA
  • INSTALL
  • LEAK
  • LIMBO
  • LOG
  • LUA
  • MEMORY
  • MICROBE
  • MOBILE
  • MUNCH
  • NetworkTypeIdentifier
  • P_CMDS
  • PROCSUPPLIER
  • RTS
  • SECURITY
  • SNACK
  • STORAGE
  • SUICIDE
  • TELEMETRY
  • TIMER
  • USB_SUPPLIER
  • VIPER
  • VOLUME_SUPPLIER
  • WEASEL

The above list suggests what the worm may be capable of doing. These features are not well-documented, but we can assume that this indicates the worm may be able of performing a number of different actions, for example:

  • Delete various files and malware components
  • Check if the infected computer is secure

Analysis by Matt McCormack, Methusela Cebrian Ferrer and Ric Robielos


Symptoms

System changes

The following files may indicate the presence of this malware, as they have been used to identify additional components:

  • %systemroot%\temp\msdclr64.ocx
  • %SYSTEMROOT%\Temp\~8C5FF6C.tmp
  • %temp%%\sstab%d.tmp
  • %temp%\dat3C.tmp
  • %temp%\dat3C.tmp
  • %temp%\dat3C.tmp
  • %temp%\sl84.tmp
  • %temp%\~dra53.tmp
  • %temp%\~mso2a0.tmp
  • %temp%\~mso2a2.tmp
  • %temp%\~rf288.tmp
  • %temp%\~txqvsl.tmp
  • %windir%\temp\~ZFF042.ocx

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    msglu32.ocx
    mssecmgr.ocx
    nteps32.ocx
    soapr32.ocx

  • The presence of the following registry modification:

    HKLM\CurrentControlSet\Control\Lsa\Authentication Packages

Prevention


Alert level: Severe
First detected by definition: 1.127.966.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: May 29, 2012
This entry was first published on: May 29, 2012
This entry was updated on: Jun 05, 2012

This threat is also detected as:
  • Flamer (other)
  • W32/FLamer.A (Command)
  • TR/Flame.B (Avira)
  • Win32.HLLW.Flame.1 (Dr.Web)
  • Win32/Flamer.A worm (ESET)
  • Worm.Win32.Flame.a (Kaspersky)
  • SkyWiper (McAfee)
  • W32/Flame-A (Sophos)
  • W32.Flamer (Symantec)