[rkhunter]

+2
MD5: 20732c97ef66dd97389e219fc0182cb5
MD5: f0a654f7c485ae195ccf81a72fe083a2

[Blaze]

This post has a nice synopsis about the 'Flame(r) worm':
http://jeffreycarr.blogspot.com/2012/05 ... lysis.html

;)

[360Tencent]

http://www.f-secure.com/weblog/archives/00002372.html

http://www.symantec.com/connect/blogs/p ... -w32flamer

[rkhunter]

Source: https://code.google.com/p/malware-lu/wi ... are_flamer
All hashes collection http://artemonsecurity.blogspot.com/201 ... s-itw.html

soapr32.ocx analyse http://stratsec.blogspot.com.au/2012/05 ... 32ocx.html
msglu32.ocx analyse http://stratsec.blogspot.com/2012/05/fl ... t-can.html
mssecmgr.ocx http://www.securelist.com/en/blog/20819 ... eetleJuice

[rkhunter]

It infects fine my WinXP SP3:
- file with MD5: bdc9e04388bda8527b398a8c34667e18 rename to msdclr64.ocx
- execute command "rundll32.exe msdclr64.ocx,DDEnumCallback" with full path to msdclr64.ocx
- wait rundll terminate
- go to HKLM_SYSTEM\CurrentControlSet\Control\Lsa and look mssecmgr.ocx was added to Authentication Packages
- next reboot
- waiting for payload downloads
On infected system:


Missed mscrypt.dat, ntcache.dat from infected machine in attach.

CrySys report very useful for infection reproduce.

[rkhunter]

Guys, anyone can help with tool/code for .dat decryption?

[360Tencent]

http://blogs.mcafee.com/mcafee-labs/wha ... es-tell-us

http://www.theregister.co.uk/2012/05/31 ... _analysis/

http://www.symantec.com/connect/blogs/f ... etoothache

http://blog.trendmicro.com/update-on-flame/

[EP_X0FF]

Guys, anyone can help with tool/code for .dat decryption?

I'm sorry this code is fast & ugly but overall principle should be clear :)
There are some PE executables inside dat files (4 in mscrypt.dat). For example (RAW copy-past) https://www.virustotal.com/file/04c84a3 ... 338521820/ Hehe dr.web fails again.

Code: Select all

byte dict[256] = {
234,
130,
99,
174,
163,
140,
102,
73,
243,
1,
103,
6,
18,
199,
182,
178,
7,
239,
28,
193,
117,
253,
23,
62,
224,
254,
61,
202,
30,
221,
26,
149,
181,
192,
183,
248,
157,
31,
226,
47,
145,
67,
111,
191,
175,
159,
250,
166,
205,
95,
81,
96,
101,
143,
255,
249,
187,
153,
77,
89,
241,
105,
116,
208,
46,
240,
108,
42,
196,
179,
127,
176,
36,
128,
113,
10,
48,
150,
118,
106,
63,
122,
137,
33,
151,
207,
55,
242,
223,
52,
190,
59,
20,
11,
238,
16,
4,
17,
78,
70,
134,
12,
87,
71,
162,
230,
225,
79,
169,
206,
198,
218,
125,
43,
83,
216,
40,
75,
123,
37,
222,
236,
29,
156,
164,
139,
110,
85,
142,
57,
93,
74,
56,
168,
53,
246,
19,
27,
251,
50,
131,
120,
90,
97,
154,
136,
80,
35,
184,
64,
252,
39,
247,
66,
104,
203,
84,
86,
9,
186,
49,
138,
212,
24,
213,
91,
228,
172,
2,
185,
129,
170,
44,
58,
0,
167,
209,
195,
161,
112,
244,
155,
119,
197,
201,
158,
121,
109,
15,
200,
173,
76,
60,
92,
65,
133,
88,
219,
141,
98,
229,
144,
215,
14,
204,
3,
171,
147,
21,
72,
232,
8,
41,
188,
124,
68,
146,
126,
210,
165,
235,
180,
217,
54,
38,
160,
34,
100,
227,
231,
177,
51,
194,
115,
135,
25,
69,
211,
5,
245,
45,
114,
94,
148,
233,
237,
152,
220,
214,
22,
189,
32,
107,
132,
82,
13
};

byte DecodeByte(byte c)
{
	int i = 0;
	byte j;
	for ( i = 0; i < 256; i++ ) {
		j = dict[i];
		if ( j == c ) 
			break;
	}
	return i;
}

void DecryptDatFile(LPTSTR f)
{
	byte *in, *out = NULL;
	DWORD i, bytesIO = 0;
	HANDLE hOutput = NULL;

	in = (byte*)MapFile(f, &bytesIO);
	if ( in ) {

		out = (byte*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bytesIO);
		if ( out ) {

			for ( i = 0; i < bytesIO; i++ ) 
				out[i] = DecodeByte(in[i]);		
			
			hOutput = CreateFile(TEXT("output.dat"), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
			if ( hOutput ) {

				WriteFile(hOutput, (LPCVOID)out, bytesIO, &bytesIO, NULL);
				CloseHandle(hOutput);
			}

			HeapFree(GetProcessHeap(), 0, out);
		}
		UnmapViewOfFile(in);
	}
}

[rkhunter]

Hehe dr.web fails again.

I'm not surprised, think you too.

[rkhunter]

Hash list by McAfee