W32/Flame-A

    Category: Viruses and SpywareProtection available since:28 May 2012 19:06:15 (GMT)
    Type: Win32 wormLast Updated:19 Jun 2012 19:26:36 (GMT)
    Prevalence: Small Number of Reports

    Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

    W32/Flame-A is an information stealing worm.

    W32/Flame-A is capable of stealing information from files on an infected machine, recording audio, capturing keystrokes and screenshots.

    W32/Flame-A can spread over the network and on removable storage devices.

    Components of W32/Flame-A have been observed to use the following filenames:

    %SYSTEM%\advnetcfg.ocx
    %SYSTEM%\boot32drv.sys
    %SYSTEM%\ccalc32.sys
    %SYSTEM%\msglu32.ocx
    %SYSTEM%\nteps32.ocx
    %SYSTEM%\mssecmgr.ocx
    %SYSTEM%\soapr32.ocx

     

    The main component of W32/Flame-A is mssecmgr.ocx.

    Located at: %SYSTEM%\mssecmgr.ocx

    W32 Flame-A maintains reboot persistence through adding itself to the following registry key:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

    "Authentication Packages"

    + mssecmgr

     

    When executed this component unpacks the other components from its resources section and deploys them onto the infected machine.

    This file is very large (just over 6 MB), including 2.5 MB of encrypted/compressed resources.


    Other executable modules:

     

    These are additional executable files that are dropped by the main component, usually into the same directory (%SYSTEM%).

    They are each responsible for general areas of functionality, these include:

     

    advnetcfg.ocx

    msglu32.ocx

    nteps32.ocx

    soapr32.ocx

     

    Data files:

     

    These are created at runtime and are used by the main module and its dropped components to store temporary information, usually encrypted or compressed.

    This information is usually stored in SQLite3 databases.

     

    ccalc32.sys

    boot32drv.sys

    audcache

    dstrlog.dat

    ntcache.dat

    ~rf<num>.tmp

    ~DEB93D.tmp

    ~HLV<num>.tmp

    ~KWI<num>.tmp

     

    W32/Flame-A will attempt to contact a Command and Control server over HTTPS. The following domains have been observed to be used:

     

    dnslocation <dot> info

    traffic-spot <dot> com

    traffic-spot <dot> biz

    smart-access <dot> net

    quick-net <dot> info


    A timeline of this threat can be found on Sophos's Naked Security site:

    Examples of W32/Flame-A include:

    Example 1

    File Information

    Size
    629K
    SHA-1
    08175e30e6aa86ef537ebb224bc15b4b9706d86d
    MD5
    3ae07746ccaa9e90b73fb61f59b4872b
    CRC-32
    2d54e659
    File type
    Windows executable
    First seen
    2012-06-02

    Example 2

    File Information

    Size
    301K
    SHA-1
    166f5a74eac828bf643205c7322a57646dc9fce4
    MD5
    75de82289ac8c816e27f3215a4613698
    CRC-32
    dff64f1e
    File type
    Windows executable
    First seen
    2012-06-01

    Example 3

    File Information

    Size
    358K
    SHA-1
    1867c9742e34d35239cefbf481676d769f921942
    MD5
    34ed8bd95078348f4308a12c20020337
    CRC-32
    c5a46174
    File type
    Windows executable
    First seen
    2012-06-02

    Download Sophos HomeDownload
    Sophos Home

    Free business-grade security for the home.

    Endpoint Protection