Being described as the largest, most sophisticated,
most discreet, and certainly the most complex virus ever
created, The Flame virus shows more of its abilities before it disappears.
It has been Proven that Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame’s creators decided to distribute a different self-removal module to infected computers that are still connected to the predefined servers and still under their control.
Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C (command and control) server sent them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. “The Disinfector”
The module “browser32.ocx” has not been seen and recovered from the field, but instead it was captured in honeypots. Any client receiving this file would have had all traces of Flamer removed, including this module itself.The suicide feature and the browse32.ocx module are designed to prevent further forensic analysis.
Meanwhile, an important question remains unanswered, since C&C servers are able to execute a command that kills the flamer virus, aren’t they able to plant the seeds of a new undiscovered virus that will reside undetected for several years performing the same or even more damage that the current Flame virus.
For more info about the files and folders removed by this “browser32.ocx” read the following from Symantec.
It has been Proven that Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame’s creators decided to distribute a different self-removal module to infected computers that are still connected to the predefined servers and still under their control.
Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C (command and control) server sent them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. “The Disinfector”
The module “browser32.ocx” has not been seen and recovered from the field, but instead it was captured in honeypots. Any client receiving this file would have had all traces of Flamer removed, including this module itself.The suicide feature and the browse32.ocx module are designed to prevent further forensic analysis.
Meanwhile, an important question remains unanswered, since C&C servers are able to execute a command that kills the flamer virus, aren’t they able to plant the seeds of a new undiscovered virus that will reside undetected for several years performing the same or even more damage that the current Flame virus.
For more info about the files and folders removed by this “browser32.ocx” read the following from Symantec.
