Home / malwarePDF  

Trojan:Win32/MiniFlame.A


First posted on 24 October 2012.
Source: Microsoft

Aliases :

Trojan:Win32/MiniFlame.A is also known as Win-Trojan/Miniflame.104448 (AhnLab), Backdoor.Win32.MiniFlame.a (Kaspersky), W32/MiniFlame.A (Norman), TR/Spy.MiniFlame.A.1 (Avira), Win32/MiniFlame.A trojan (ESET), Backdoor.Win32.MiniFlame (Ikarus), SkyWiper.b (McAfee), W32.Flamer.B!gen1 (Symantec), BKDR_FLAMER.SMA (Trend Micro).

Explanation :



Trojan:Win32/MiniFlame.A is a trojan that connects to certain servers. Once connected, it can send information about your computer, and do certain actions based on commands coming from the server.



Installation

Trojan:Win32/MiniFlame.A may have the file name "%Systemroot%\system32\icsvnt32.ocx". When run, it changes the following registry entry to point to itself, effectively replacing your computer's default Event System DLL with itself, so that it can be loaded every time your computer starts:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{4E14FBA2-2E22-11D1-9964-00C04FBBB345}\InprocServer32
Sets value: "default"
With data: "%Systemroot%\system32\icsvnt32.ocx"

It also creates the following data files in which it stores information:

  • %Allusersprofile%\datFE2B.da1
  • %Allusersprofile%\mstlis.log


Trojan:Win32/MiniFlame.A also writes data to these registry entries:

  • HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\StandardDateBias
  • HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\StandardTimeBias


Payload

Connects to a remote server to send stolen information and get commands

Trojan:Win32/MiniFlame.A tries to connect to a remote server to send the following information about your computer:

  • Operating system version
  • OS service pack version
  • IP address
  • MAC address
  • Computer name
  • Value read from the registry subkey HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Fonts\PixelShader


It can also do the following actions based on commands sent from the remote server:

  • Download and upload files
  • Run a process
  • Load a DLL file


Here are some of the servers it has been known to connect to:

  • 109.235.49.203
  • 202.75.58.179
  • cache.dyndns.info
  • flashcenter.info
  • flashrider.org
  • flashupdates.info
  • nvidiadrivers.info
  • nvidiasoft.info
  • nvidiastream.info
  • rendercodec.info
  • syncstream.info
  • videosync.info
  • web.autoflash.info
  • web.velocitycache.com
  • webapp.serveftp.com
  • webupdate.dyndns.info
  • webupdate.hopto.org
Additional information on Trojan:Win32/MiniFlame.A

Trojan:Win32/MiniFlame.A doesn't run on your computer if you're running these programs:

  • outpost.exe (Outpost Firewall)
  • bdagent.exe (BitDefender Antivirus)




Analysis by Shawn Wang

Last update 24 October 2012

 

TOP

Malware :

Family: