Flamer worm - Page 4 - KernelMode.info

Re: Flamer worm

#13525 by 360Tencent
Wed May 30, 2012 12:03 am

http://blog.trendmicro.com/flame-malwar ... landscape/

http://www.securelist.com/en/blog/20819 ... eetleJuice

http://blog.damballa.com/?p=1663

There is of course some debate starting about the first detection of Flamer. Given the malware’s size and number of constituent components it shouldn’t be surprising to hear that some pieces of it may have been detected as far back as March 1st 2010 – such as the file “~ZFF042.TMP” (also seen as MSSECMGR.OCX and 07568402.TMP) – analyzed by Webroot and attributed to a system in Iran.

https://www.prevx.com/filenames/X835863 ... 2.TMP.html

Username

360Tencent

Posts

116

Joined

Thu Dec 15, 2011 12:47 pm

Re: Flamer worm

#13530 by rkhunter
Wed May 30, 2012 7:14 am

One more with
MD5: 37c97c908706969b2e3addf70b68dc13
File size: 6172160 bytes
2012-05-30 01:43:30 UTC

Attachments

37c97c908706969b2e3addf70b68dc13.zip

pass:infected
(4.06 MiB) Downloaded 174 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Flamer worm

#13531 by rkhunter
Wed May 30, 2012 7:31 am

soapr32.ocx component analyse http://stratsec.blogspot.com/2012/05/fl ... 32ocx.html
hash list with descripton https://code.google.com/p/malware-lu/wi ... are_flamer
Sophos hashes http://www.sophos.com/en-us/threat-cent ... lysis.aspx

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Flamer worm

#13532 by kmd
Wed May 30, 2012 11:36 am

:lol:

Username

kmd

Posts

271

Joined

Mon Mar 15, 2010 4:09 am

Location

Russian Federation

Re: Flamer worm

#13535 by rkhunter
Wed May 30, 2012 12:40 pm

+1
MD5: ee4b589a7b5d56ada10d9a15f81dada9
File size: 391168 bytes
2009-07-29 08:45:52 UTC (!!!)
MS: Worm:Win32/Flame.gen!B

via http://labs.alienvault.com/labs/index.p ... -is-flame/

Attachments

ee4b589a7b5d56ada10d9a15f81dada9.zip

pass:infected
(374.11 KiB) Downloaded 124 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Flamer worm

#13536 by EP_X0FF
Wed May 30, 2012 12:53 pm

So myth about undetectable for years deployment ruined. Awaiting entertainment posts at securelist.

http://www.microsoft.com/security/porta ... 2%2FTosy.A

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Flamer worm

#13537 by rkhunter
Wed May 30, 2012 12:59 pm

EP_X0FF wrote:So myth about undetectable for years deployment ruined. Awaiting entartaiment posts at securelist.

Seems it can't tell that it was targeted to some country except it saw it before...

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Flamer worm

#13538 by 360Tencent
Wed May 30, 2012 1:08 pm

http://labs.alienvault.com/labs/index.p ... -is-flame/

interesting~

http://imgur.com/8Aark

Username

360Tencent

Posts

116

Joined

Thu Dec 15, 2011 12:47 pm

Re: Flamer worm

#13539 by EP_X0FF
Wed May 30, 2012 1:11 pm

360Tencent wrote:http://imgur.com/8Aark

These values can be easily faked.

Also take a look on detection "quality" for the last UPX compressed sample.

original
https://www.virustotal.com/file/c52c1fd ... /analysis/

no UPX
https://www.virustotal.com/file/5b272e4 ... /analysis/

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Flamer worm

#13540 by 360Tencent
Wed May 30, 2012 1:21 pm

agree with you, now more interesting event is taking place

http://www.scmagazineuk.com/united-nati ... le/243329/

The United Nations is to issue a warning to governments about the Flame worm.

Username

360Tencent

Posts

116

Joined

Thu Dec 15, 2011 12:47 pm