W32.Flamer Description

W32.Flamer is a worm that is spread through removable drives. W32.Flamer also opens a back door on the corrupted PC and may steal confidential data from its victims. W32.Flamer attempts to bypass the detection by anti-virus application by saving its complex code in .OCX files, not usually checked by anti-virus software in their default configuration. However, if W32.Flamer detects McAfee’s on-access scanner McShield, instead, it saves its code in .TMP files. Once a computer system is infected, W32.Flamer performs malicious actions including taking screenshots, recording audio conversations, sniffing the network traffic, intercepting the keyboard, and other. All this data is available to the attackers through the link to Flame’s command-and-control (C&C) servers.

Type: Worms

How Can You Detect W32.Flamer?

W32.Flamer Removal Details

W32.Flamer has typically the following processes in memory:

• Windows\System32\msglu32.ocx
• Windows\System32\soapr32.ocx
• Windows\System32\ccalc32.sys
• Windows\System32\nteps32.ocx
• Windows\System32\boot32drv.sys
• windows\system32\mssecmgr.ocx
• Windows\System32\advnetcfg.ocx

W32.Flamer creates the following registry entries:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\”Authentication Packages” = “mssecmgr.ocx”

Important Article Disclaimer