Win32/Flamer [Threat Name] go to Threat

Win32/Flamer.A [Threat Variant Name]

Category worm
Size 6166528 B
Detection created May 28, 2012
Detection database version 7176
Aliases Worm.Win32.Flame.a (Kaspersky)
  SkyWiper (McAfee)
  W32.Flamer (Symantec)
Short description

Win32/Flamer.A is a worm that steals sensitive information. The worm attempts to send gathered information to a remote machine. The worm serves as a backdoor. It can be controlled remotely.

Installation

The worm may create the following files:

  • %system%\­advnetcfg.ocx
  • %system%\­boot32drv.sys
  • %system%\­ccalc32.sys
  • %system%\­msapack.ocx (6166528 B)
  • %system%\­msglu32.ocx
  • %system%\­mssecmgr.ocx (6166528 B)
  • %system%\­nteps32.ocx
  • %system%\­soapr32.ocx
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­audcach0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­audcach0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­audcache
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­audcache
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­audfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­audfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­audfilter.da1
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­audfilter.da1
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­audfilter.dat
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­audfilter.dat
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­mscrypt.da0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­mscrypt.da0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­mscrypt.dat
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­mscrypt.dat
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­mssecmgr.dl0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­mssecmgr.dl0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­rccache.da0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­rccache.da0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­rccache.da1
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­rccache.da1
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­rccache.dat
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­rccache.dat
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­ssitabl0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­ssitabl0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­ssitable
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­ssitable
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­wavesup3.dr0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­wavesup3.dr0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­wpgfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­wpgfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­wpgfilter.dat
  • %programfilescommon%\­Microsoft Shared\­MSAPackages\­wpgfilter.dat
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­audcach0
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­audcache
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­audfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­audfilter.da1
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­audfilter.dat
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­mscrypt.da0
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­mscrypt.dat
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­mssecmgr.dl0
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­rccache.da0
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­rccache.da1
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­rccache.dat
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­ssitabl0
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­ssitable
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­wavesup3.dr0
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­wavesup3.drv (6166528 B)
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­wpgfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSAudio\­wpgfilter.dat
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­audcach0
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­audcache
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­audfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­audfilter.da1
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­audfilter.dat
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­mscrypt.da0
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­mscrypt.dat
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­mssecmgr.dl0
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­rccache.da0
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­rccache.da1
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­rccache.dat
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­ssitabl0
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­ssitable
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­wavesup3.dr0
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­wpgfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSAuthCtrl\­wpgfilter.dat
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­audcach0
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­audcache
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­audfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­audfilter.da1
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­audfilter.dat
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­mscrypt.da0
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­mscrypt.dat
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­mssecmgr.dl0
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­rccache.da0
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­rccache.da1
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­rccache.dat
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­ssitabl0
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­ssitable
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­wavesup3.dr0
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­wpgfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSSecurityMgr\­wpgfilter.dat
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­audcach0
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­audcache
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­audfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­audfilter.da1
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­audfilter.dat
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­mscrypt.da0
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­mscrypt.dat
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­mssecmgr.dl0
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­rccache.da0
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­rccache.da1
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­rccache.dat
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­ssitabl0
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­ssitable
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­wavesup3.dr0
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­wpgfilter.da0
  • %programfilescommon%\­Microsoft Shared\­MSSndMix\­wpgfilter.dat
  • %windir%\­temp\­%variable%.tmp

A string with variable content is used instead of %variable% .


The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Lsa]
    • "Authentication Packages" = "%originalvalue%, mssecmgr.ocx"
    • "Authentication Packages" = "%originalvalue%, authpack.ocx"
Spreading

The worm may create copies of itself on removable drives.

Information stealing

Win32/Flamer.A is a worm that steals sensitive information.


The worm searches for files with the following file extensions:

  • .accdb
  • .bmp
  • .csv
  • .doc
  • .docx
  • .dwg
  • .eml
  • .gif
  • .jpeg
  • .jpg
  • .ldb
  • .mdb
  • .mpp
  • .ora
  • .pdf
  • .png
  • .pps
  • .ppsx
  • .ppt
  • .pptx
  • .pub
  • .rdp
  • .rtf
  • .ssh
  • .ssh2
  • .tif
  • .txt
  • .url
  • .vsd
  • .xls
  • .xlsx

The following information is collected:

  • information about the operating system and system settings
  • screenshots
  • file(s) content

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • capture screenshots
  • send gathered information
  • remove itself from the infected computer
  • sending various information about the infected computer
  • connect to remote computers to a specific port
  • various filesystem operations
  • spread via removable drives
  • set up an HTTP server
  • stop itself for a certain time period

The worm quits immediately if it detects certain security applications running.

Please enable Javascript to ensure correct displaying of this content and refresh this page.