Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

WORM_FLAMER.A

ANALYSIS BY

Roland Marco Dela Paz


ALIASES:

W32.Flamer (Symantec); Worm.Win32.Flame.a (Kaspersky)

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Worm

  • Destructiveness:No

  • Encrypted: Yes

  • In the wild: Yes

OVERVIEW

Infection Channel:

Propagates via removable drives


This info-stealing malware is dubbed as Flame malware and has been spotted in Iran and other countries since 2010. It is a multi-component threat which makes it hard to analyze.

To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.

This worm is capable of propagating in a local network when an infected machine is found in the said network. It also spreads through removable drives.

It may disable antivirus software by uninstalling registry keys. It is also capable of capturing screenshots, recording audio via the system's microphone, and manipulating a database that may contain records related to the malware’s malicious routines.

This worm arrives by connecting affected removable drives to a system or through an infected machine in the network.

This worm arrives by connecting affected removable drives to a system.

TECHNICAL DETAILS

File Size:

Varies

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

28 May 2012

Payload:

Terminates processes, Compromises system security, Drops files

Arrival Details

This worm arrives by connecting affected removable drives to a system.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\mssecmgr.ocx

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following files:

  • %System%\boot32drv.sys - detected as TROJ_FLAMER.CFG
  • %System%\ccalc32.sys - detected as TROJ_FLAMER.CFG
  • %System%\advnetcfg.ocx - also detected as WORM_FLAMER.A
  • %System%\msglu32.ocx - also detected as WORM_FLAMER.A
  • %System%\nteps32.ocx - also detected as WORM_FLAMER.A
  • %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\dstrlog.dat
  • %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\lmcache.dat
  • %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\mscrypt.dat
  • %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\ntcache.dat
  • %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\rccache.dat
  • %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\ssitable
  • %Windows%\Ef_trace.log

It creates the following folders:

  • %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

Autostart Technique

This worm modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa Authentication
Packages = "{default entry + mssecmgr.ocx}"

(Note: The default value data of the said registry entry is {default entry}.)

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

  • acs.exe
  • AdoronsFirewall.exe
  • almon.exe
  • alsvc.exe
  • alupdate.exe
  • AntiHook.exe
  • app_firewall.exe
  • asr.exe
  • aupdrun.exe
  • authfw.exe
  • avgnt.exe
  • avguard.exe
  • avp.exe
  • avpm.exe
  • bdagent.exe
  • bdmcon.exe
  • bdss.exe
  • blackd.exe
  • blackice.exe
  • BootSafe.exe
  • cdas17.exe
  • cdinstx.exe
  • clamd.exe
  • cmdagent.exe
  • configmgr.exe
  • cpf.exe
  • DCSUserProt.exe
  • DF5SERV.exe
  • DF5ServerService.exe
  • DFAdmin6.exe
  • DFServEx.exe
  • dfw.exe
  • dvpapi.exe
  • EMLPROUI.exe
  • EMLPROXY.exe
  • FAMEH32.exe
  • FCH32.exe
  • Firewall 2004.exe
  • FirewallGUI.exe
  • FrzState.exe
  • frzstate2k.exe
  • fsaua.exe
  • fsav32.exe
  • Fsbwsys.exe
  • fsdfwd.exe
  • fsgk32.exe
  • fsgk32st.exe
  • fsguidll.exe
  • Fsguiexe.exe
  • FSM32.exe
  • FSMA32.exe
  • FSMB32.exe
  • fspc.exe
  • Fspex.exe
  • fsqh.exe
  • fsrt.exe
  • Fssm32.exe
  • FWService.exe
  • fwsrv.exe
  • fxsrv.exe
  • gateway.exe
  • ICMON.exe
  • ike.exe
  • ipatrol.exe
  • ipcsvc.exe
  • ipcTray.exe
  • jpf.exe
  • jpfsrv.exe
  • kav.exe
  • kavmm.exe
  • Kpf4gui.exe
  • Kpf4ss.exe
  • live help.exe
  • livesrv.exe
  • lpfw.exe
  • MPF.exe
  • mpfcm.exe
  • mpsvc.exe
  • Netguard Lite.exe
  • NetMon.exe
  • NJEEVES.exe
  • nstzerospywarelite.exe
  • nvcoas.exe
  • NVCSCHED.exe
  • Nvoy.exe
  • OEInject.exe
  • omnitray.exe
  • ONLINENT.exe
  • ONLNSVC.exe
  • op_mon.exe
  • outpost.exe
  • pcipprev.exe
  • PF6.exe
  • pfsvc.exe
  • pgaccount.exe
  • procguard.exe
  • protect.exe
  • PXAgent.exe
  • PXConsole.exe
  • R-Firewall.exe
  • RDTask.exe
  • RTT_CRC_Service.exe
  • sab_wab.exe
  • safensec.exe
  • savadminservice.exe
  • SavService.exe
  • SCANWSCS.exe
  • sched.exe
  • SfCtlCom.exe
  • smc.exe
  • snsmcon.exe
  • snsupd.exe
  • sp_rsser.exe
  • spfirewallsvc.exe
  • sppfw.exe
  • SpyHunter3.exe
  • SpywareTerminator.exe
  • SpywareTerminatorShield.exe
  • SSUpdate.exe
  • SUPERAntiSpyware.exe
  • SWNETSUP.exe
  • swupdate.exe
  • sww.exe
  • tikl.exe
  • tinykl.exe
  • TMAS_OEMon.exe
  • TMBMSRV.exe
  • TmPfw.exe
  • TmProxy.exe
  • Tray.exe
  • TSAnSrf.exe
  • TSAtiSy.exe
  • TScutyNT.exe
  • TSmpNT.exe
  • UfSeAgnt.exe
  • UmxAgent.exe
  • UmxCfg.exe
  • UmxFwHlp.exe
  • Umxlu.exe
  • UmxPol.exe
  • UmxTray.exe
  • updclient.exe
  • VCATCH.exe
  • vdtask.exe
  • VSDesktop.exe
  • vsmon.exe
  • vsserv.exe
  • WSWEEPNT.exe
  • wwasher.exe
  • xauth_service.exe
  • xcommsvr.exe
  • xfilter.exe
  • Zanda.exe
  • zerospyware le.exe
  • ZeroSpyware Lite.exe
  • zerospyware lite_installer.exe
  • zlclient.exe

NOTES:

This worm propagates via removable drives. It also propagates to other systems through an infected machine in a local network.

It may disable antivirus software by uninstalling the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\AVP6

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\AVP7

SOFTWARE\KasperskyLab\avp6\settings

SOFTWARE\Symantec\InstalledApps

SOFTWARE\Symantec\Norton AntiVirus

SOFTWARE\Symantec\SymSetup\Internet security

SOFTWARE\Symantec\Symantec AntiVirus

This worm is capable of exhibiting the following routines:

  • Capture screenshots
  • Capture audio from microphone
  • Log and report malware-related events
  • Manipulate database

SOLUTION

Minimum Scan Engine:

9.200

FIRST VSAPI PATTERN FILE:

9.148.03

FIRST VSAPI PATTERN DATE:

28 May 2012

VSAPI OPR PATTERN File:

9.149.00

VSAPI OPR PATTERN Date:

29 May 2012

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware/grayware files dropped/downloaded by WORM_FLAMER.A

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr

Step 5

Search and delete this file

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
  • %Windows%\Ef_trace.log

Step 6

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.


  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Authentication
    • From: Packages = "{default entry + mssecmgr.ocx}"
      To: Packages = "{default entry}"

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_FLAMER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.

Connect with us on