First posted on 22 June 2012.
There are no other names known for Worm:Win32/Flame.gen!D.
Worm:Win32/Flame is a multi-component worm that uses a variety of actions to perform its malicious payload, which also includes gathering information from your infected computer.
Whilst complex, the malware has thus far only been observed on a relatively small number of computers, mainly in the Middle-East. This suggests the toolkit (used to distribute the worm) is used in targeted attacks.
The original method of infection is speculated to be via targeted attacks.
The main component of the malware, mssecmgr.ocx (detected as Worm:Win32/Flame.gen!A), is a DLL which conforms to the requirements of LSA Authentication packages.
Worm:Win32/Flame.gen!A creates the following registry key to ensure its execution when you start Windows:
The main component, mssecmgr.ocx (detected as Worm:Win32/Flame.gen!A), may create the following files:
As the malware can download various different modules, which extend the malware's original functionality, it may spread via any number of methods.
For instance, if the malware has been instructed to do so, with the right component installed, it can spread by Autorun to removable drives.
As the malware can download various different modules, which extend its original functionality, the malware could serve almost any malicious purpose.
Initial analysis of this worm indicates that, with the related component installed, the following functionality is available it for it to do the following:
- Capture screenshots of various software
- Log keystrokes
Contacts remote host
Once active, the malware contacts one of many possible domains in order to receive commands and possibly download additional components.
Components and configuration files we have seen use the following names:
Depending on the component, they may be detected as Worm:Win32/Flame.gen!B or Worm:Win32/Flame.gen!C.
Due to its age, many of the malware components only appear to function properly on certain Windows versions prior to Vista, such as Windows XP and Windows 2003.
The worm uses Lua, a powerful scripting language, to script its attack methods. In the wild, we have observed the worm using the following attack features:
The above list suggests what the worm may be capable of doing. These features are not well-documented, but we can assume that this indicates the worm may be able of performing a number of different actions, for example:
- Delete various files and malware components
- Check if the infected computer is secure
Analysis by Matt McCormack, Methusela Cebrian Ferrer and Ric Robielos
Last update 22 June 2012