WORM_FLAMER.A

This info-stealing malware is dubbed as Flame malware and has been spotted in Iran and other countries since 2010. It is a multi-component threat which makes it hard to analyze.

To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.

This worm is capable of propagating in a local network when an infected machine is found in the said network. It also spreads through removable drives.

It may disable antivirus software by uninstalling registry keys. It is also capable of capturing screenshots, recording audio via the system's microphone, and manipulating a database that may contain records related to the malware’s malicious routines.

This worm arrives by connecting affected removable drives to a system or through an infected machine in the network.

This worm arrives by connecting affected removable drives to a system.

Arrival Details

This worm arrives by connecting affected removable drives to a system.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\mssecmgr.ocx

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following files:

• %System%\boot32drv.sys - detected as TROJ_FLAMER.CFG
• %System%\ccalc32.sys - detected as TROJ_FLAMER.CFG
• %System%\advnetcfg.ocx - also detected as WORM_FLAMER.A
• %System%\msglu32.ocx - also detected as WORM_FLAMER.A
• %System%\nteps32.ocx - also detected as WORM_FLAMER.A
• %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\dstrlog.dat
• %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\lmcache.dat
• %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\mscrypt.dat
• %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\ntcache.dat
• %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\rccache.dat
• %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr\ssitable
• %Windows%\Ef_trace.log

It creates the following folders:

• %Program Files%\Common Files\Microsoft Shared\MSSecurityMgr

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

Autostart Technique

This worm modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa Authentication
Packages = "{default entry + mssecmgr.ocx}"

(Note: The default value data of the said registry entry is {default entry}.)

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• acs.exe
• AdoronsFirewall.exe
• almon.exe
• alsvc.exe
• alupdate.exe
• AntiHook.exe
• app_firewall.exe
• asr.exe
• aupdrun.exe
• authfw.exe
• avgnt.exe
• avguard.exe
• avp.exe
• avpm.exe
• bdagent.exe
• bdmcon.exe
• bdss.exe
• blackd.exe
• blackice.exe
• BootSafe.exe
• cdas17.exe
• cdinstx.exe
• clamd.exe
• cmdagent.exe
• configmgr.exe
• cpf.exe
• DCSUserProt.exe
• DF5SERV.exe
• DF5ServerService.exe
• DFAdmin6.exe
• DFServEx.exe
• dfw.exe
• dvpapi.exe
• EMLPROUI.exe
• EMLPROXY.exe
• FAMEH32.exe
• FCH32.exe
• Firewall 2004.exe
• FirewallGUI.exe
• FrzState.exe
• frzstate2k.exe
• fsaua.exe
• fsav32.exe
• Fsbwsys.exe
• fsdfwd.exe
• fsgk32.exe
• fsgk32st.exe
• fsguidll.exe
• Fsguiexe.exe
• FSM32.exe
• FSMA32.exe
• FSMB32.exe
• fspc.exe
• Fspex.exe
• fsqh.exe
• fsrt.exe
• Fssm32.exe
• FWService.exe
• fwsrv.exe
• fxsrv.exe
• gateway.exe
• ICMON.exe
• ike.exe
• ipatrol.exe
• ipcsvc.exe
• ipcTray.exe
• jpf.exe
• jpfsrv.exe
• kav.exe
• kavmm.exe
• Kpf4gui.exe
• Kpf4ss.exe
• live help.exe
• livesrv.exe
• lpfw.exe
• MPF.exe
• mpfcm.exe
• mpsvc.exe
• Netguard Lite.exe
• NetMon.exe
• NJEEVES.exe
• nstzerospywarelite.exe
• nvcoas.exe
• NVCSCHED.exe
• Nvoy.exe
• OEInject.exe
• omnitray.exe
• ONLINENT.exe
• ONLNSVC.exe
• op_mon.exe
• outpost.exe
• pcipprev.exe
• PF6.exe
• pfsvc.exe
• pgaccount.exe
• procguard.exe
• protect.exe
• PXAgent.exe
• PXConsole.exe
• R-Firewall.exe
• RDTask.exe
• RTT_CRC_Service.exe
• sab_wab.exe
• safensec.exe
• savadminservice.exe
• SavService.exe
• SCANWSCS.exe
• sched.exe
• SfCtlCom.exe
• smc.exe
• snsmcon.exe
• snsupd.exe
• sp_rsser.exe
• spfirewallsvc.exe
• sppfw.exe
• SpyHunter3.exe
• SpywareTerminator.exe
• SpywareTerminatorShield.exe
• SSUpdate.exe
• SUPERAntiSpyware.exe
• SWNETSUP.exe
• swupdate.exe
• sww.exe
• tikl.exe
• tinykl.exe
• TMAS_OEMon.exe
• TMBMSRV.exe
• TmPfw.exe
• TmProxy.exe
• Tray.exe
• TSAnSrf.exe
• TSAtiSy.exe
• TScutyNT.exe
• TSmpNT.exe
• UfSeAgnt.exe
• UmxAgent.exe
• UmxCfg.exe
• UmxFwHlp.exe
• Umxlu.exe
• UmxPol.exe
• UmxTray.exe
• updclient.exe
• VCATCH.exe
• vdtask.exe
• VSDesktop.exe
• vsmon.exe
• vsserv.exe
• WSWEEPNT.exe
• wwasher.exe
• xauth_service.exe
• xcommsvr.exe
• xfilter.exe
• Zanda.exe
• zerospyware le.exe
• ZeroSpyware Lite.exe
• zerospyware lite_installer.exe
• zlclient.exe

NOTES:

This worm propagates via removable drives. It also propagates to other systems through an infected machine in a local network.

It may disable antivirus software by uninstalling the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\AVP6

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\AVP7

SOFTWARE\KasperskyLab\avp6\settings

SOFTWARE\Symantec\InstalledApps

SOFTWARE\Symantec\Norton AntiVirus

SOFTWARE\Symantec\SymSetup\Internet security

SOFTWARE\Symantec\Symantec AntiVirus

This worm is capable of exhibiting the following routines:

• Capture screenshots
• Capture audio from microphone
• Log and report malware-related events
• Manipulate database