W32/Flame-A

Category: Viruses and Spyware Protection available since:28 May 2012 19:06:15 (GMT)
Type: Win32 worm Last Updated:19 Jun 2012 19:26:36 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Flame-A is an information stealing worm.

W32/Flame-A is capable of stealing information from files on an infected machine, recording audio, capturing keystrokes and screenshots.

W32/Flame-A can spread over the network and on removable storage devices.

Components of W32/Flame-A have been observed to use the following filenames:

%SYSTEM%\advnetcfg.ocx
%SYSTEM%\boot32drv.sys
%SYSTEM%\ccalc32.sys
%SYSTEM%\msglu32.ocx
%SYSTEM%\nteps32.ocx
%SYSTEM%\mssecmgr.ocx
%SYSTEM%\soapr32.ocx

 

The main component of W32/Flame-A is mssecmgr.ocx.

Located at: %SYSTEM%\mssecmgr.ocx

W32 Flame-A maintains reboot persistence through adding itself to the following registry key:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

"Authentication Packages"

+ mssecmgr

 

When executed this component unpacks the other components from its resources section and deploys them onto the infected machine.

This file is very large (just over 6 MB), including 2.5 MB of encrypted/compressed resources.


Other executable modules:

 

These are additional executable files that are dropped by the main component, usually into the same directory (%SYSTEM%).

They are each responsible for general areas of functionality, these include:

 

advnetcfg.ocx

msglu32.ocx

nteps32.ocx

soapr32.ocx

 

Data files:

 

These are created at runtime and are used by the main module and its dropped components to store temporary information, usually encrypted or compressed.

This information is usually stored in SQLite3 databases.

 

ccalc32.sys

boot32drv.sys

audcache

dstrlog.dat

ntcache.dat

~rf<num>.tmp

~DEB93D.tmp

~HLV<num>.tmp

~KWI<num>.tmp

 

W32/Flame-A will attempt to contact a Command and Control server over HTTPS. The following domains have been observed to be used:

 

dnslocation <dot> info

traffic-spot <dot> com

traffic-spot <dot> biz

smart-access <dot> net

quick-net <dot> info


A timeline of this threat can be found on Sophos's Naked Security site:

Examples of W32/Flame-A include:

Example 1

File Information

Size
629K
SHA-1
08175e30e6aa86ef537ebb224bc15b4b9706d86d
MD5
3ae07746ccaa9e90b73fb61f59b4872b
CRC-32
2d54e659
File type
Windows executable
First seen
2012-06-02

Example 2

File Information

Size
301K
SHA-1
166f5a74eac828bf643205c7322a57646dc9fce4
MD5
75de82289ac8c816e27f3215a4613698
CRC-32
dff64f1e
File type
Windows executable
First seen
2012-06-01

Example 3

File Information

Size
358K
SHA-1
1867c9742e34d35239cefbf481676d769f921942
MD5
34ed8bd95078348f4308a12c20020337
CRC-32
c5a46174
File type
Windows executable
First seen
2012-06-02

download Try Sophos products for free
Download now