Threat Database Worms W32/Flame-A


By LoneStar in Worms

W32/Flame-A, commonly known as 'Flame', seems to have originated from Iran and spread from there to various countries in the Middle East and Northern Africa. News of W32/Flame-A has taken a while to spread beyond the Middle East due to a media embargo that halted information from getting out. W32/Flame-A is also known as Skywiper. Many malware researchers have hypothesized that W32/Flame-A is part of a deliberate malware attack carried out against Iran due to its complexity and all the money it will take to create a similar malware infection. However, as W32/Flame-A spreads beyond the Middle East, with infections being reported in Western nations, this idea has lost some ground.

W32/Flame-A Has Some Particularly Nasty Tricks Up Its Sleeve

Another highly-publicized malware infection that also received attention as a possible cyber-warfare attack from one nation to another was the Stuxnet worm. At present, one of the reasons why PC security researchers has trouble detecting all the potential problems that the W32/Flame-A infection poses is that its code is twenty times more extensive than the Stuxnet worm, which is a notably complex malware infection. W32/Flame-A hides itself by containing its code within files in OCX format, which are usually not scanned by most anti-virus programs. W32/Flame-A can change itself depending on the victim's anti-virus program; for example, if W32/Flame-A detects McShield on the victim's computer (which does scan OCX files), W32/Flame-A will contain its code in files in TMP format instead!

Is W32/Flame-A the Most Complicated Malware Attack in Existence?

Many PC security analysts have observed that W32/Flame-A is among the most complex pieces of malware that they have ever analyzed. At present, W32/Flame-A has been observed to delete information from infected computers. However, the extent of the severity of this attack is still unknown due to the high degree of complexity in this malware infection. The fact that W32/Flame-A is blazing through computers faster than most malware infections in recent history also points to possible new forms of distribution contained in W32/Flame-A. While there is no doubt that W32/Flame-A is dangerous and has been responsible for huge losses of data and revenue, its new techniques will also allow PC security researchers to learn of new vulnerabilities in security software and computer systems, allowing them to fine-tune their new releases.

SpyHunter Detects & Remove W32/Flame-A

File System Details

W32/Flame-A may create the following file(s):
# File Name MD5 Detections
1. Windows\System32\msglu32.ocx
2. Windows\System32\soapr32.ocx
3. Windows\System32\ccalc32.sys
4. Windows\System32\nteps32.ocx
5. Windows\System32\boot32drv.sys
6. windows\system32\mssecmgr.ocx
7. Windows\System32\advnetcfg.ocx
8. 03.exe 1f61d280067e2564999cac20e386041c 0
9. file.exe f47bd1af6f6fbc2559d6ab5069d394eb 0
10. file.exe b51424138d72d343f22d03438fc9ced5 0
11. noname4.dll 75de82289ac8c816e27f3215a4613698 0
12. noname.dll bddbc6974eb8279613b833804eda12f9 0

Registry Details

W32/Flame-A may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"Authentication Packages" = "mssecmgr.ocx"


Most Viewed