A forum for reverse engineering, OS internals and malware analysis 

Flamer worm

Forum for analysis and discussion about malware.

Re: Flamer worm

 #13503  by Xylitol
 Tue May 29, 2012 12:17 pm
testsils wrote:Anybody has a sample of the main component named mssecmgr.ocx a592d49ff32fe130591ecfde006ffa4fb34140d5

tx
Gotcha.
https://www.virustotal.com/file/295b089 ... 338293875/
https://www.virustotal.com/file/c6776d9 ... 338294497/
https://www.virustotal.com/file/2fe9c6b ... 338294499/

missed hashs:
Code: Select all
dcf8dab7e0fc7a3eaf6368e05b3505c5 *mscrypt.dat
06a84ad28bbc9365eb9e08c697555154 *00004069.ex_
ec992e35e794947a17804451f2a8857e *00004784.dl_
b604c68cd46f8839979da49bb2818c36 *00006411.dl_
Attachments
infected
(951.85 KiB) Downloaded 177 times
infected
(4.09 MiB) Downloaded 420 times
Last edited by Xylitol on Tue May 29, 2012 12:53 pm, edited 5 times in total.

Re: Flamer worm

 #13507  by rkhunter
 Tue May 29, 2012 12:56 pm
Samples that posted before, MD5, size, date of first itw:
Code: Select all
296e04abb00ea5f18ba021c34e486746 - 160768 bytes - 2012-05-29 00:42:43 UTC
c9e00c9d94d1a790d5923b050b0bd741 - 827392 bytes - 2012-05-28 05:42:31 UTC
c81d037b723adc43e3ee17b1eee9d6cc - 1300 bytes - 2012-05-28 06:10:10 UTC
bb5441af1e1741fca600e9c433cb1550 - 643072 bytes - 2011-05-15 04:31:30 UTC
bdc9e04388bda8527b398a8c34667e18 - 6166528 bytes - 2012-05-29 00:40:44 UTC
5ad73d2e4e33bb84155ee4b35fbefc2b - 53534 bytes - 2012-05-28 15:01:01 UTC
d53b39fb50841ff163f6e9cfd8b52c2e - 1721856 bytes - 2012-05-29 00:28:45 UTC
Aliases:
MS: Worm:Win32/Flame.A
Kaspersky: Worm.Win32.Flame.a
Symantec: W32.Flamer
McAfee: SkyWiper

Re: Flamer worm

 #13508  by kmd
 Tue May 29, 2012 1:05 pm
i have a question, perhasp someone is able to answer: what kind of tool/sandbox names files as file-DIGITS_ext ?

true marketing super virus :D it lack any kind of code obfuscation and look alike toolkit but not malware.

Re: Flamer worm

 #13510  by rkhunter
 Tue May 29, 2012 1:32 pm
kmd wrote:i have a question, perhasp someone is able to answer: what kind of tool/sandbox names files as file-DIGITS_ext ?
For me this more interesting: bb5441af1e1741fca600e9c433cb1550 - 2011-05-15 04:31:30 UTC

Re: Flamer worm

 #13511  by kmd
 Tue May 29, 2012 1:36 pm
rkhunter wrote:
kmd wrote:i have a question, perhasp someone is able to answer: what kind of tool/sandbox names files as file-DIGITS_ext ?
For me this more interesting: bb5441af1e1741fca600e9c433cb1550 - 2011-05-15 04:31:30 UTC
this is true sense of my question. this sample first seen more than 1 year ago and it was uploaded by some sort of system, maybe malware tracking system which uses this naming pattern, i dont believe in two, three or five years of undetectable deployment.

Re: Flamer worm

 #13516  by rkhunter
 Tue May 29, 2012 3:40 pm
http://abcnews.go.com/Technology/wireSt ... 8Ttqtz86So
Flame is the third major cyberweapon discovered in the past two years, and Kaspersky's conclusion that it was crafted at the behest of a national government fueled speculation that the virus could be part of an Israeli-backed campaign of electronic sabotage aimed at archrival Iran.

Re: Flamer worm

 #13522  by leeno
 Tue May 29, 2012 9:11 pm
Hi Guys ,

can we have details about the cnc communication or any network traffic capture for this ...

thanks in advance ..
  • 1
  • 2
  • 3
  • 4
  • 5
  • 14
 Return to “Malware”