The controllers of the Flame malware have seemingly responded to the publicity circling the attack by sending out a self-destruct command.Symantec suggests that some command-and-control machines have sent commands designed to remove flame. The compromised computers where sent a file called browse32.ocx which is what aided Flame to uninstall itself from infected computers, and leave no trace. Symantec has dubbed this command action by the bot masters a “urgent suicide” which was captured on Symantec’s honeypots.
The file browse32.ocx contained a list of files and folders to be removed and after the deletion (Full list of deleted files below) the file overwrites the disk with random characters. This uninstaller is coded by the attackers to try and disinfect the system without any traces to try and evade analysis on their cyber weapon.
“The version of this module that we have was created on May 9, 2012,” Symantec’s post notes, which was “just a few weeks” before the malware became known.
Also, Symantec has made another interesting discovery,
The existence of this module is interesting in itself. Previously analyzed Flamer code showed us a component named SUICIDE, which is functionally simiar to browse32.ocx. It is unknown why the malware authors decided not to use the SUICIDE functionality, and instead make Flamer perform explicit actions based on a new module.
Deleted files
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\audcache
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\audfilter.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\dstrlog.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\dstrlogh.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m3aaux.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m3afilter.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m3asound.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m4aaux.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m4afilter.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m4asound.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m5aaux.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m5afilter.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\m5asound.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\mlcache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\mpgaaux.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\mpgaud.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\qpgaaux.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\srcache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\wavesup3.drv
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio\wpgfilter.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\authcfg.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\ctrllist.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\lmcache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\ntcache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\posttab.bin
- %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\secindex.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl\tokencpt
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\dmmsap.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\domm.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\domm2.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\domm3.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\dommt.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\dstrlog.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\dstrlogh.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\lmcache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\Lncache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\ltcache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\mscorest.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\mscrol.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\mscrypt.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\mspovst.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\msrovst.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\msrsysv.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\msvolrst.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\nt2cache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\ntcache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\rccache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\rdcache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\rmcache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\ssitable
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\syscache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr\syscache3.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\audtable.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\fmpidx.bin
- %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\lmcache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\lrlogic
- %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\mixercfg.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\mixerdef.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\ntcache.dat
- %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix\sndmix.drv
- %SystemDrive%\system32\msglu32.ocx
- %SystemDrive%\Temp\~8C5FF6C.tmp
- %Temp%\~*
- %Temp%\~a28.tmp
- %Temp%\~a38.tmp
- %Temp%\~DF05AC8.tmp
- %Temp%\~DFD85D3.tmp
- %Temp%\~DFL542.tmp
- %Temp%\~DFL543.tmp
- %Temp%\~DFL544.tmp
- %Temp%\~DFL545.tmp
- %Temp%\~DFL546.tmp
- %Temp%\~dra51.tmp
- %Temp%\~dra52.tmp
- %Temp%\~dra53.tmp
- %Temp%\~dra61.tmp
- %Temp%\~dra73.tmp
- %Temp%\~fghz.tmp
- %Temp%\~HLV084.tmp
- %Temp%\~HLV294.tmp
- %Temp%\~HLV473.tmp
- %Temp%\~HLV751.tmp
- %Temp%\~HLV927.tmp
- %Temp%\~KWI988.tmp
- %Temp%\~KWI989.tmp
- %Temp%\~mso2a0.tmp
- %Temp%\~mso2a1.tmp
- %Temp%\~mso2a2.tmp
- %Temp%\~rei524.tmp
- %Temp%\~rei525.tmp
- %Temp%\~rf288.tmp
- %Temp%\~rft374.tmp
- %Temp%\~TFL848.tmp
- %Temp%\~TFL849.tmp
- %Temp%\~ZFF042.tmp
- %Temp%\comspol32.ocx
- %Temp%\GRb9M2.bat
- %Temp%\indsvc32.ocx
- %Temp%\scaud32.exe
- %Temp%\scsec32.exe
- %Temp%\sdclt32.exe
- %Temp%\sstab.dat
- %Temp%\sstab15.dat
- %Temp%\winrt32.dll
- %Temp%\winrt32.ocx
- %Temp%\wpab32.bat
- %Temp%\wpab32.bat
- %Windir%\Ef_trace.log
- %Windir%\Prefetch\Layout.ini
- %Windir%\Prefetch\NTOSBOOT-B00DFAAD.pf
- %Windir%\repair\default
- %Windir%\repair\sam
- %Windir%\repair\security
- %Windir%\repair\software
- %Windir%\repair\system
- %Windir%\system32\advnetcfg.ocx
- %Windir%\system32\advpck.dat
- %Windir%\system32\aud*
- %Windir%\system32\authpack.ocx
- %Windir%\system32\boot32drv.sys
- %Windir%\system32\ccalc32.sys
- %Windir%\system32\commgr32.dll
- %Windir%\system32\comspol32.dll
- %Windir%\system32\comspol32.ocx
- %Windir%\system32\config\default.sav
- %Windir%\system32\config\sam.sav
- %Windir%\system32\config\security.sav
- %Windir%\system32\config\software.sav
- %Windir%\system32\config\system.sav
- %Windir%\system32\config\userdiff.sav
- %Windir%\system32\ctrllist.dat
- %Windir%\system32\indsvc32.dll
- %Windir%\system32\indsvc32.ocx
- %Windir%\system32\lrl*
- %Windir%\system32\modevga.com
- %Windir%\system32\mssecmgr.ocx
- %Windir%\system32\mssui.drv
- %Windir%\system32\mssvc32.ocx
- %Windir%\system32\ntaps.dat
- %Windir%\system32\nteps32.ocx
- %Windir%\system32\pcldrvx.ocx
- %Windir%\system32\rpcnc.dat
- %Windir%\system32\scaud32.exe
- %Windir%\system32\sdclt32.exe
- %Windir%\system32\soapr32.ocx
- %Windir%\system32\ssi*
- %Windir%\system32\sstab.dat
- %Windir%\system32\sstab0.dat
- %Windir%\system32\sstab1.dat
- %Windir%\system32\sstab10.dat
- %Windir%\system32\sstab11.dat
- %Windir%\system32\sstab12.dat
- %Windir%\system32\sstab2.dat
- %Windir%\system32\sstab3.dat
- %Windir%\system32\sstab4.dat
- %Windir%\system32\sstab5.dat
- %Windir%\system32\sstab6.dat
- %Windir%\system32\sstab7.dat
- %Windir%\system32\sstab8.dat
- %Windir%\system32\sstab9.dat
- %Windir%\system32\tok*
- %Windir%\system32\watchxb.sys
- %Windir%\system32\winconf32.ocx
Deleted folders
- %ProgramFiles%\Common Files\Microsoft Shared\MSAudio
- %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl
- %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr
- %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix
