What “the FLAME” is, How to check if you are infected

What "the FLAME" is, How to check if you are infected 1If you keep track of technology news, you must have heard about “The FLAME” which led to had caused substantial damage and massive data loss in what may be most destructive cyber attack on Iran. Today we will talk about what  “the FLAME” is and How to check if your system is infected by it too.

What is “The FLAME”

It is a sophisticated attack toolkit and comlex in nature. It acts as backdoor, a Trojan, and even worm to to replicate itself in local network and on removable media. On infection, it performs complex operations like sniffing the network traffic, taking screenshots, recording audio conversations, intercepting keyboard & much more.

It collects all the data obtained by performing these operations and can be retrived by the FLAME writer using their servers. It can download additional modules to perform additional operations. 20 sucvh modules are detected till now that can be downloaded.

When deployed fully, the package of modules comprise  of ~20 MB as it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine making it extremely difficult to analyse by Antivirus vendors or anyone else.

Modules of Flame

Beetlejuice Bluetooth: enumerates devices around the infected machine.
May turn itself into a “beacon”: announces the computer as a discoverable device and encode the status of the malware in device information using base64.
Microbe Records audio from existing hardware sources. Lists all multimedia devices, stores complete device configuration, tries to select suitable recording device.
Infectmedia Selects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.
Autorun_infector Creates “autorun.inf” that contains the malware and starts with a custom “open” command. The same method was used by Stuxnet before it employed the LNK exploit.
Euphoria Create a “junction point” directory with “desktop.ini” and “target.lnk” from LINK1 and LINK2 entries of resource 146 (were not present in the resource file). The directory acts as a shortcut for launching Flame.
Limbo Creates backdoor accounts with login “HelpAssistant” on the machines within the network domain if appropriate rights are available.
Frog Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is “HelpAssistant” that is created by the “Limbo” attack.
Munch HTTP server that responds to “/view.php” and “/wpad.dat” requests.
Snack Listens on network interfaces, receives and saves NBNS packets in a log file. Has an option to start only when “Munch” is started. Collected data is then used for replicating by network.
Boot_dll_loader Configuration section that contains the list of all additional modules that should be loaded and started.
Weasel Creates a directory listing of the infected computer.
Boost Creates a list of “interesting” files using several filename masks.
Telemetry Logging facilities
Gator When an Internet connection becomes available, it connects to the C&C servers, downloads new modules, and uploads collected data.
Security Identifies programs that may be hazardous to Flame, i.e., anti-virus programs and firewalls.
The purpose of these modules is not yet known.

Apart from those above, additional modules are installed in the %windir%\system32\ directory.

How to check for Flame Infection

1. Perform a search for the file ~DEB93D.tmp. If you are able to fin the said file on your system, it means that your system either is or has been infected by Flame.

2. Check for registry key HKLM_SYSTEM >> CurrentControlSet >> Control >> Lsa >> Authentication Packages. If you find something names mssecmgr.ocx or authpack.ocx there – it means that you are infected with Flame.

3. Check for the presence of the following catalogs. If present – you’re infected.

  • C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr
  • C:\Program Files\Common Files\Microsoft Shared\MSAudio
  • C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl
  • C:\Program Files\Common Files\Microsoft Shared\MSAPackages
  • C:\Program Files\Common Files\Microsoft Shared\MSSndMix

 4. Conduct a search for the rest of the file names given above. All of them are quite unique and their being discovered would mean that there is a strong possibility of an infection with Flame.

If you want to more about FLAME, please refer the two blog posts by Kaspersky below cited as Source for this Post.


  1. The Flame: Questions and Answers
  2. Flame: Bunny, Frog, Munch and BeetleJuice

2 comments… add one
  • Samuel Link Reply

    Flame is an all-in-one! Takes screenshots, records audio, can sniff network… I very much ask those developers to come into consumer market! Surely they’ll be greeted with a huge success 😉

  • mohsen Link Reply

    you are asking CIA to come into consumer market, we can call it military level virus and definitely is beyond other hackers,even MAHER anstitue has produced an antimalware for it, they wouldn’t publish it to regular users cause it’s a strategic product as you see in kaspersky they requested several month analysis to provide a complete solution.

Leave a Comment