The main module of Flame is a DLL file called mssecmgr.ocx.
There are two known versions to this module: a large 6mb version, which includes the full virus package, and a small 900kb version containing only the core module – which once installed will connect to the source command and control server to download and install the remaining components.
Note: The Mssecmgr could have other names and moving forward may be best discovered with signature files that look at the content of the infected files instead of the file name.
Search for the file ~DEB93D.tmp.
The presence of this file is positive confirmation that the system is infected by Flame.
Check the registry key using: RegEdit
Key Name: Authentication Packages
If the DATA contains the files:
mssecmgr.ocx or authpack.ocx
The system is infected with the Flame virus.
Browse to: C:\Program Files\Common Files\Microsoft Shared
The system is infected with the Flame Virus if any of the following Directories are present:
The system is most likely infected with the Flame virus if any of the following files are present. Search each one by one.
A dissection of the Flame Virus shows that each component has a purpose. Identified modules and their functions are listed below. The names were extracted from the binary and the 146 resource.
BeetlejuiceBluetooth: enumerates devices around the infected machine.
May turn itself into a “beacon”: announces the computer as a discoverable device and encode the status of the malware in device information using base64.
Records audio from existing hardware sources. Lists all multimedia devices, stores complete device configuration, tries to select suitable recording device.
Selects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.
Creates “autorun.inf” that contains the malware and starts with a custom “open” command. The same method was used by Stuxnet before it employed the LNK exploit.
Create a “junction point” directory with “desktop.ini” and “target.lnk” from LINK1 and LINK2 entries of resource 146 (were not present in the resource file). The directory acts as a shortcut for launching Flame.
Creates backdoor accounts with login “HelpAssistant” on the machines within the network domain if appropriate rights are available.
Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is “HelpAssistant” that is created by the “Limbo” attack.
HTTP server that responds to “/view.php” and “/wpad.dat” requests.
Listens on network interfaces, receives and saves NBNS packets in a log file. Has an option to start only when “Munch” is started. Collected data is then used for replicating by network.
Configuration section that contains the list of all additional modules that should be loaded and started.
Creates a directory listing of the infected computer.
Creates a list of “interesting” files using several filename masks.
When an Internet connection becomes available, it connects to the C&C servers, downloads new modules, and uploads collected data.
Identifies programs that may be hazardous to Flame, i.e., anti-virus programs and firewalls.
Bunny, Dbquery, Driller, Headache and Gadget
For a more comprehensive discussion of the Flame Virus direct from the Kaspersky Lab Expert, Aleks, please review:
The Flame: Questions and Answers
For more information on the modules themselves, please review:
Leave a Reply