The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Flame: Bunny, Frog, Munch and BeetleJuice…

Kaspersky Lab Expert
Posted May 29, 20:30  GMT
Tags: Flame, Cyber weapon, Cyber espionage

As already mentioned in the previous blog post about Flame, the volume of its code and functionality are so great that it will take several months for a complete analysis. We’re planning on continually disclosing in our publications the most important and interesting details of its functionality as we reveal them.

At the moment we are receiving many inquiries about how to check systems for a Flame infection. Of course the simplest answer, for us, is to advise to use Kaspersky Lab Antivirus or Internet Security. We successfully detect and delete all possible modifications of the main module and extra components of Flame.

However, for those who want to carry out a detailed check themselves, at the end of this article we will give the necessary recommendations and advice.


The main module of Flame is a DLL file called mssecmgr.ocx. We’ve discovered two modifications of this module. Most of the infected machines contained its “big” version, 6 Mb in size, and carrying and deploying additional modules. The smaller version’s size is only 900 Kb and contains no additional modules. After installation, the small module connects to one of the C&C servers and tries to download and install the remaining components from there.

Mssecmgr may be called different names on actual infected machines, depending on the method of infection and the current internal state of the malware (installation, replication, upgrade), e.g., wavesup3.drv, ~zff042.ocx, msdclr64.ocx, etc.

Complete analysis of the mssecmgr module will follow in our upcoming blog posts.

The first activation of this file is initiated by one of the external features - either Windows WMI tools using a MOF file if the MS10-061 exploit is used, or using a BAT file:

s1 = new ActiveXObject("Wscript.Shell");
s1.Run("%SYSTEMROOT%\\system32\\rundll32.exe msdclr64.ocx,DDEnumCallback");

(source code of MOF file, svchostevt.mof)

When activated, mssecmgr registers itself as a custom authentication package in the Windows registry:

Authentication Packages
= mssecmgr.ocx [added to existing entries]

On the next system boot, the module is loaded automatically by the operating system.

After updating the Windows registry, mssecmgr extracts any additional modules that are present in its encrypted and compressed resource section (resource “146”) and installs them. The resource is a dictionary that contains configuration options for mssecmgr and other modules, the modules themselves (DLL files), and parameters that need to be passed to these modules to load them properly, i.e., decryption keys.

We are analyzing the additional modules and will provide more information about their functionality in coming blog posts.

When installation is completed, mssecmgr loads available modules and starts several execution threads that implement a channel to the C&C servers and Lua interpreter host, and other features - depending on the configuration. The functionality of the module is separated into different “units” that have different namespaces in the configuration resource and have distinct names in log messages, which are extensively used throughout the code.

Here is a brief overview of the available units. The names were extracted from the binary and the 146 resource.

Beetlejuice Bluetooth: enumerates devices around the infected machine.
May turn itself into a “beacon”: announces the computer as a discoverable device and encode the status of the malware in device information using base64.
Microbe Records audio from existing hardware sources. Lists all multimedia devices, stores complete device configuration, tries to select suitable recording device.
Infectmedia Selects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.
Autorun_infector Creates “autorun.inf” that contains the malware and starts with a custom “open” command. The same method was used by Stuxnet before it employed the LNK exploit.
Euphoria Create a “junction point” directory with “desktop.ini” and “target.lnk” from LINK1 and LINK2 entries of resource 146 (were not present in the resource file). The directory acts as a shortcut for launching Flame.
Limbo Creates backdoor accounts with login “HelpAssistant” on the machines within the network domain if appropriate rights are available.
Frog Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is “HelpAssistant” that is created by the “Limbo” attack.
Munch HTTP server that responds to “/view.php” and “/wpad.dat” requests.
Snack Listens on network interfaces, receives and saves NBNS packets in a log file. Has an option to start only when “Munch” is started. Collected data is then used for replicating by network.
Boot_dll_loader Configuration section that contains the list of all additional modules that should be loaded and started.
Weasel Creates a directory listing of the infected computer.
Boost Creates a list of “interesting” files using several filename masks.
Telemetry Logging facilities
Gator When an Internet connection becomes available, it connects to the C&C servers, downloads new modules, and uploads collected data.
Security Identifies programs that may be hazardous to Flame, i.e., anti-virus programs and firewalls.
The purpose of these modules is not yet known.

Additional modules are installed in the %windir%\system32\ directory:


Additional modules downloaded from the C&C servers are installed in the same directory.

The modules of the Flame malware produce a lot of data files that contain extensive execution logs, plus the collected information - screenshots, lists of processes, hardware listings, etc.

The files are saved in the %windir%\temp directory using following names:


There are also optional files that can be found in the %windir%\system32 directory:


Also, in %windir%\:


Flame stores its persistent data in files using different formats. All data is encrypted using several algorithms and keys. Some of the files are databases created using a built-in SQLite3 library. These databases contain data produced by both data stealing and replication routines. We will provide more information about these files in later publications.

The directory names used by the additional components of Flame may differ slightly depending on the type of installation and the configuration options from resource 146:

C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr
C:\Program Files\Common Files\Microsoft Shared\MSAudio
C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl
C:\Program Files\Common Files\Microsoft Shared\MSAPackages
C:\Program Files\Common Files\Microsoft Shared\MSSndMix

These directories may contain the following files:

mscrypt.dat (or wpgfilter.dat)
rccache.dat (or audfilter.dat)
ssitable (or audache)
wavesup3.drv (a copy of the main module, mssecmgr.ocx, in the MSAudio directory)

Flame can also produce or download files with the following names:


As a consequence, we can provide a method for a quick “manual” check of your systems for presence of a Flame infection:

1. Perform a search for the file ~DEB93D.tmp. Its presence on a system means that it either is or has been infected by Flame.

2. Check the registry key HKLM_SYSTEM\CurrentControlSet\Control\Lsa\ Authentication Packages.
If you find mssecmgr.ocx or authpack.ocx in there - you are infected with Flame.

3. Check for the presence of the following catalogs. If present - you’re infected.

C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr
C:\Program Files\Common Files\Microsoft Shared\MSAudio
C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl
C:\Program Files\Common Files\Microsoft Shared\MSAPackages
C:\Program Files\Common Files\Microsoft Shared\MSSndMix

4. Conduct a search for the rest of the filenames given above. All of them are quite unique and their being discovered would mean that there is a strong possibility of an infection with Flame.

P.S. We have checked the information as suggested in the comments at our blogpost regarding a possible relation to FLAME (Flexible Lightweight Active Measurement Environment) software from Brazil.

Interestingly, the name picked by us fully matches that software, which also uses LUA for implementing business logics. The FLAME software is used to measure network characteristics by deploying measurement agents and collecting data in a central database. Despite some similarities, we think that this software is unrelated as it serves different objectives. Besides the LUA engine, the core of communication in FLAME is XMPP protocol, which is not used in the Flame malware.

The authors might have been inspired by the FLAME project and re-implemented similar architecture - only for the different goal, or this is all just a coincidence. We don't have any other reason to think that it is somehow related to the Flame malware.


Oldest first
Threaded view

Roy Fuller

2012 May 30, 04:50


It's curious that in the first Flame article (The Flame: Questions and Answers) you state "Flame does not use the Tilded platform." But, in this article the first step to detection of the Flame on a system is to search for "~DEB93D.tmp", which begins with ~D. In a previous Kaspersky Stuxnet/Duqu article it was stated that the platform was called "'Tilded' (because of the tendency of its creators to use files that start with the tilde symbol (~))."



2012 May 30, 05:42

Re: Tilded?

Just a coincidence, but, yes, we found it because of name :)


Roy Fuller

2012 May 30, 05:47

Re: Re: Tilded?

Coincidence or not these duqu/stuxnet and now flame blog posts have been very interesting. Thanks for the great info Aleks!



2012 May 30, 17:42

DNSchanger funct.

Anyone found any DNSchanger kind of a functionality?



2012 May 31, 15:43

Network behaviour

Are there any known facts about the network spreading- / scanning- / communication-behavior of Flame?


Hector Luis

2012 May 31, 17:14

Estoy infectado

Lamentablemente encontre los archivos. Resulta que note muy lenta mi pc y ademas ataques a mi sitio web. Desde diferentes ip intentaban ingresar a mi pc. Uno delos virus era el d1.exe (no se si tiene relacion) pero activando diferentes antivirus bloqueaban muchas ip entonces decidi averiguar sobre este virus y finalmente lo descubri. Me aseguran que con Kaspersky se elimina? y graciaspor toda la info.Unfortunately I found the files. It is very slow to notice my pc and also attacks on my website. From different ip tried accessing my pc. One virus was d1.exe models (not if you have relationship) but activating different antivirus blocked many ip so I decided to find out about this virus and eventually discovered. I say that Kaspersky is removed? Thank youfor and all the info.

Edited by Hector Luis, 2012 May 31, 17:28


Dmitry Bestuzhev

2012 Jun 02, 18:51

Re: Estoy infectado

Hola Hector.

Al parecer su infección no está relacionada con el Flame.


Hector Luis

2012 May 31, 17:22

No permite utilizar antivirus

Olvide comentar que me fue imposible de utilizar el antivirus de Kaspersky en cuanto lo queria instalar me salia una leyenda que era imposible porque faltaban archivos. En estos momentos estoy bajando la version de prueba de Kaspersky Internet Security 2012 y les informare de los sucesos


Dmitry Bestuzhev

2012 Jun 02, 18:53

Re: No permite utilizar antivirus

Recuerde que también puede desinfectar su máquina con nuestra herramienta gratuita que se llama Kaspersky Virus Removal Tool y que se puede descargar desde http://www.kaspersky.com/antivirus-removal-tool-register No requiere instalación y puede ser utilizada paralelamente a cualquier AV que tenga en su máquina.


Hector Luis

2012 May 31, 17:56

problem with antivirus

can not copy klif.sys is no path, however is there's the problem?



2012 May 31, 19:52

You mentioned the source code of the MOF file above; what's the batch file look like? I'm assuming it just starts the malware using rundll32 or some such, but there could be more to it.


Hector Luis

2012 May 31, 20:40

install and probe Kaspersky antivirus

even after all this shown in HKEY_CURRENT_USER/Software/Microsoft/Search Assistant/Acmru/5630/(all files mentioned in this forum)


Hector Luis

2012 May 31, 20:43

search words windows xp

They may be the search words you make after reading this forum and these are not files.


Hector Luis

2012 May 31, 20:46

Apparently the virus work very well

I detected malaware others do not.



2012 May 31, 22:29

Preventing Spearphishing

Users would be less vulnernerable to deception if they used SP Guard from Iconix.



2012 May 31, 23:22


MD5: bdc9e04388bda8527b398a8c34667e 18
SHA1: a592d49ff32fe130591ecfde006ffa 4fb34140d5
File size: 6166528 bytes
File name: mssecmgr.ocx


Hector Luis

2012 May 31, 23:59

Tganks but Kaspersky still does not eliminate di.exe

Continuously on startup and detects viruses di.exe


Mehdi Ilbeigi

2012 Jun 01, 00:01

Flame Remover

Link Download:
http://www.certcc.ir/index.php?module=file_manager func=getit lid=26

Folder Remover Copy----> C:\

Run C:\Remover\remover.exe


Edited by Mehdi Ilbeigi, 2012 Jun 01, 00:55



2012 Jun 01, 09:14

Use Bitdefender Removal Tool

http://labs.bitdefender.com/wp-content/uploads/downloads/2012/05/TrojanFlamer_BDRemovalToolDrop per_x86.exe

Source: http://www.donotcrack.com/2012/06/how-to-remove-trojan-flamer.html



2012 Jun 01, 13:03

List of C C?

Thanks for this analysis. Do you have a list of known C C ? Any other information related to the user agent used by Munch module ?



2012 Jun 04, 02:02

The article seems really interesting, I myself is a programmer and a kind of hacker (not black hat) and just love coding simple but most effective trojan.
I wonder why Microsoft doesn't makes any proper OS and obsolete vbscript from it ??
anyone with even basic knowledge of programming could design such a destructive trojan with some efforts and time.

btw, isn't it possible to trace them out by tracing the outgoing going connection established by FLAME to their server to upload Data ???



2012 Jun 04, 02:28

Windows only or Mac as well?

Does flame only affect the windows operation system, or also mac os x? I ask, as if it does, how could we search for the infection? Thoughts?



2012 Jun 04, 16:50

and does it use ftp.exe to upload data to their server ?



2012 Jun 05, 08:19

Does bunny have any relationship to rabbIT? http://www.khelekore.org/rabbit/



2012 Jun 12, 19:44

In front of me...

I feel that something is weird with that virus..
Anyway, how about the 'registry block' thing that ESET mentioned during their research about Duqu and Stuxnet??



2012 Jul 07, 07:29

HelpAssistant and more

Couple of things I found curious..

Flame's Limbo module created a HelpAssistant user just like Mebroot used to.. could this mean a link between the author(s), or possibly that Mebroot was an earlier version of this module, or probable code sharing or more?

Also, with certain latter releases of tdl4/alureon the malware would access certain vulnerable routers changing the DNS servers.. with such robust functionality is flame similarly affecting users routers or DNS servers?

Why would the writers decide not to create an actual pe file infecting piece of malware like vundo or etc to conceal the infection? Loading dll's into windows processes has become quite common... From what I've seen any amateur malware analyst could have identified this infection on a host machine. It's concealment methods may have been semi-advanced a few years back but these type of infections have become quite common in recent years.

With tdl we saw quotes from the simpsons and etc in the install log files.. do we see anything like this with flame or anything that gives us insight about the authors interests, humor, or etc? If not could this be because the authors were hired to write this software and that their code would be under scrutiny?

Also, in some other malware we see checks for keyboard languages to prevent infections in certain geographical locations. In theory if this was an attack carried out by say Isreal and the US, are there checks to prevent the installation on such local machines? It would seem wise to add such a check to ensure the malware didn't infect a machine that wasn't in the targeted areas to prevent any red flags from other developed countries or security professionals.

One last thought.. IF this was part of a cyber warfare program and is a collaboration of some of our best malware authors in(and out of?) the US.. I for one am greatly disappointed.. Sure, it is packed with features.. but it seems like the same regurgitated malware we've been seeing for years.. for a government project it seems rather weak and easily detectable... which somewhat frightens/worries me...



2013 Jan 02, 00:50

Why is the program several MBs of code? What functionality does it have that could make it so much larger than Stuxnet? How come it wasn’t detected if it was that big?

The large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is small and focused. It’s easier to hide a small file than a larger module. Additionally, over unreliable networks, downloading 100K has a much higher chance of being successful than downloading 6MB.
Do you agree with that?

Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes Loading as part of Winlogon.exe and then injecting itself into explorer.exe and services
I don't understand it. What is windows APC and its relationship to code injection? What about Winlogon.exe and injecting to explorer.exe ?

Using custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
Does it mean it holds attack modules in database?

Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability and spreads only when instructed to do so by the attackers.
Does it mean attackers spread of virus one by one?How attackers choose the next computer in order to attack?How they can understand this right choice? How can they limit?

Thanks in advance!

If you would like to comment on this article you must first

Bookmark and Share