Jason Palmer, CPA, CITP

Cyber Insurance Auditing

You are here: Home / Archives for flame virus

Flame Virus: How to check if infected.

By Leave a Comment

Flame Virus Name Origin Screen ShotThe main module of Flame is a DLL file called mssecmgr.ocx.

There are two known versions to this module:   a large 6mb version, which includes the full virus package, and a small 900kb version containing only the core module – which once installed will connect to the source command and control server to download and install the remaining components.

Note:  The Mssecmgr could have other names and moving forward may be best discovered with signature files that look at the content of the infected files instead of the file name.

Step 1

Search for the file ~DEB93D.tmp.

The presence of this file is positive confirmation that the system is infected by Flame.

Step 2

Check the registry key using:  RegEdit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Key Name:  Authentication Packages

If the DATA contains the files:

mssecmgr.ocx or authpack.ocx

The system is infected with the Flame virus.

Step 3

Browse to:    C:\Program Files\Common Files\Microsoft Shared

The system is infected with the Flame Virus if any of the following Directories are present:

MSSecurityMgr

MSAudio

MSAuthCtrl

MSAPackages

MSSndMix

Step 4

The system is most likely infected with the Flame virus if any of the following files are present.  Search each one by one.

mssecmgr.ocx
advnetcfg.ocx
msglu32.ocx
nteps32.ocx
soapr32.ocx
ccalc32.sys
boot32drv.sys
~DEB93D.tmp
~8C5FF6C.tmp
~DF05AC8.tmp
~DFD85D3.tmp
~DFL*.tmp
~dra*.tmp
~fghz.tmp
~HLV*.tmp
~KWI988.tmp
~KWI989.tmp
~rei524.tmp
~rei525.tmp
~rf288.tmp
~rft374.tmp
~TFL848.tmp
~TFL849.tmp
~mso2a0.tmp
~mso2a1.tmp
~mso2a2.tmp
sstab*.dat
dstrlog.dat
lmcache.dat
mscrypt.dat
wpgfilter.dat
ntcache.dat
rccache.dat
audfilter.dat
ssitable
audache
secindex.dat
wavesup3.drv
svchost1ex.mof
Svchostevt.mof
frog.bat
netcfgi.ocx
authpack.ocx
~a29.tmp
rdcvlt32.exe
to961.tmp
authcfg.dat
Wpab32.bat
ctrllist.dat
winrt32.ocx
winrt32.dll
scsec32.exe
grb9m2.bat
winconf32.ocx
watchxb.sys
sdclt32.exe
scaud32.exe
pcldrvx.ocx
mssvc32.ocx
mssui.drv
modevga.com
indsvc32.ocx
comspol32.ocx
comspol32.dll
browse32.ocx

 

The Modules

A  dissection of the Flame Virus shows that each component has a purpose.  Identified modules and their functions are listed below.  The names were extracted from the binary and the 146 resource.

Flame Virus Modules Map

 

BeetlejuiceBluetooth: enumerates devices around the infected machine.
May turn itself into a “beacon”: announces the computer as a discoverable device and encode the status of the malware in device information using base64.

Microbe

Records audio from existing hardware sources. Lists all multimedia devices, stores complete device configuration, tries to select suitable recording device.

Infectmedia

Selects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.

Autorun_infector

Creates “autorun.inf” that contains the malware and starts with a custom “open” command. The same method was used by Stuxnet before it employed the LNK exploit.

Euphoria

Create a “junction point” directory with “desktop.ini” and “target.lnk” from LINK1 and LINK2 entries of resource 146 (were not present in the resource file). The directory acts as a shortcut for launching Flame.

Limbo

Creates backdoor accounts with login “HelpAssistant” on the machines within the network domain if appropriate rights are available.

Frog

Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is “HelpAssistant” that is created by the “Limbo” attack.

Munch

HTTP server that responds to “/view.php” and “/wpad.dat” requests.

Snack

Listens on network interfaces, receives and saves NBNS packets in a log file. Has an option to start only when “Munch” is started. Collected data is then used for replicating by network.

Boot_dll_loader

Configuration section that contains the list of all additional modules that should be loaded and started.

Weasel

Creates a directory listing of the infected computer.

Boost

Creates a list of “interesting” files using several filename masks.

Telemetry

Logging facilities

Gator

When an Internet connection becomes available, it connects to the C&C servers, downloads new modules, and uploads collected data.

Security

Identifies programs that may be hazardous to Flame, i.e., anti-virus programs and firewalls.

Bunny, Dbquery, Driller, Headache and Gadget

Unknown function.

For a more comprehensive discussion of the Flame Virus direct from the Kaspersky Lab Expert, Aleks, please review:

The Flame:  Questions and Answers

For more information on the modules themselves, please review:

Flame:  Bunny, Frog, Munch and BeetleJuice…