Home / malwarePDF  

Worm:Win32/Flame.gen!A


First posted on 31 May 2012.
Source: Microsoft

Aliases :

Worm:Win32/Flame.gen!A is also known as Flamer (other), W32/FLamer.A (Command), TR/Flame.B (Avira), Win32.HLLW.Flame.1 (Dr.Web), Win32/Flamer.A worm (ESET), Worm.Win32.Flame.a (Kaspersky), SkyWiper (McAfee), W32/Flame-A (Sophos), W32.Flamer (Symantec).

Explanation :



Worm:Win32/Flame is a multi-component worm that uses a variety of actions to perform its malicious payload, which also includes gathering information from your infected computer.

Whilst complex, the malware has thus far only been observed on a relatively small number of computers, mainly in the Middle-East. This suggests the toolkit (used to distribute the worm) is used in targeted attacks.



Installation

The original method of infection is speculated to be via targeted attacks.

The main component of the malware, mssecmgr.ocx, is a DLL which conforms to the requirements of LSA Authentication packages.

Worm:Win32/Flame.gen!A creates the following registry key to ensure its execution when you start Windows:

HKLM\CurrentControlSet\Control\Lsa\Authentication Packages

Additional components

The main component, mssecmgr.ocx (detected as Worm:Win32/Flame.gen!A), may create the following files:

  • msglu32.ocx
  • nteps32.ocx
  • soapr32.ocx
Spreads via...

As the malware can download various different modules, which extend the malware's original functionality, it may spread via any number of methods.

For instance, if the malware has been instructed to do so, with the right component installed, it can spread by Autorun to removable drives.



Payload

As the malware can download various different modules, which extend its original functionality, the malware could serve almost any malicious purpose.

Initial analysis of this worm indicates that, with the related component installed, the following functionality is available it for it to do the following:

  • Capture screenshots of various software
  • Log keystrokes


Contacts remote host

Once active, the malware contacts one of many possible domains in order to receive commands and possibly download additional components.

Components and configuration files we have seen use the following names:

  • advnetcfg.ocx
  • boot32drv.sys
  • ccalc32.sys
  • dvnetcfg.ocx
  • rpcns4.ocx


Depending on the component, they may be detected as Worm:Win32/Flame.gen!B or Worm:Win32/Flame.gen!C.

Additional information

Due to its age, many of the malware components only appear to function properly on certain Windows versions prior to Vista, such as Windows XP and Windows 2003.



Analysis by Matt McCormack

Last update 31 May 2012

 

TOP