Home / malwarePDF  

Worm:Win32/Flame!cfg


First posted on 07 June 2012.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Flame!cfg.

Explanation :



Worm:Win32/Flame is a multi-component worm that uses a variety of actions to perform its malicious payload, which also includes gathering information from your infected computer.

While complex, the malware has thus far only been observed on a relatively small number of computers, mainly in the Middle-East. This suggests the toolkit (used to distribute the worm) is used in targeted attacks.

Worm:Win32/Flame!cfg is a component of this malware that may be used to capture screenshots of the affected computer.



Installation

The original method of infection is speculated to be via targeted attacks.

The main component of the malware, mssecmgr.ocx (detected as Worm:Win32/Flame.gen!A), is a DLL which conforms to the requirements of LSA Authentication packages.

Worm:Win32/Flame.gen!A creates the following registry key to ensure its execution when you start Windows:

HKLM\CurrentControlSet\Control\Lsa\Authentication Packages

Additional components

The main component, mssecmgr.ocx (detected as Worm:Win32/Flame.gen!A), may create the following files:

  • msglu32.ocx
  • nteps32.ocx
  • soapr32.ocx
Spreads via...

As the malware can download various different modules, which extend the malware's original functionality, it may spread via any number of methods.

For instance, if the malware has been instructed to do so, with the right component installed, it can spread by Autorun to removable drives.



Payload

As the malware can download various different modules, which extend its original functionality, the malware could serve almost any malicious purpose.

Initial analysis of this worm indicates that, with the related component installed, the following functionality is available it for it to do the following:

  • Capture screenshots of various software
  • Log keystrokes


Contacts remote host

Once active, the malware contacts one of many possible domains in order to receive commands and possibly download additional components.

Components and configuration files we have seen use the following names:

  • advnetcfg.ocx
  • boot32drv.sys
  • ccalc32.sys
  • dvnetcfg.ocx
  • rpcns4.ocx


Depending on the component, they may be detected as Worm:Win32/Flame.gen!B or Worm:Win32/Flame.gen!C.

Additional information

Vintage

Due to its age, many of the malware components only appear to function properly on certain Windows versions prior to Vista, such as Windows XP and Windows 2003.

Uses Lua

The worm uses Lua, a powerful scripting language, to script its attack methods. In the wild, we have observed the worm using the following attack features:

  • AUTORUN
  • BEETLEJUICE
  • BOOST
  • BOOT_DLL_LOADER
  • BUNNY
  • CMDROUTER
  • CRUISE
  • DBQUERY
  • DRILLER
  • EUPHORIA
  • FBS
  • FROG
  • GADGET
  • GATOR
  • HEADACHE
  • INFECTMEDIA
  • INSTALL
  • LEAK
  • LIMBO
  • LOG
  • LUA
  • MEMORY
  • MICROBE
  • MOBILE
  • MUNCH
  • NetworkTypeIdentifier
  • P_CMDS
  • PROCSUPPLIER
  • RTS
  • SECURITY
  • SNACK
  • STORAGE
  • SUICIDE
  • TELEMETRY
  • TIMER
  • USB_SUPPLIER
  • VIPER
  • VOLUME_SUPPLIER
  • WEASEL


The above list suggests what the worm may be capable of doing. These features are not well-documented, but we can assume that this indicates the worm may be able of performing a number of different actions, for example:

  • Delete various files and malware components
  • Check if the infected computer is secure




Analysis by Matt McCormack, Methusela Cebrian Ferrer & Ric Robielos

Last update 07 June 2012

 

TOP