Flame malware controllers send uninstall command

Kaspersky Lab had announced the discovery of the sophisticated malware, that was called Flame and the recent spate of Flame malware attacks have been grabbing headlines, across the world. It was said to have been actively used as a cyber weapon targeting entities across several countries. It all started off in the Middle-East and it was said to be spreading across the world. The malware was discovered by Kaspersky Lab’s experts during an investigation prompted by the International Telecommunication Union (ITU), and the analysis of the malicious program revealed it was the largest and most complex attack toolkit to date. Kaspersky Lab’s analysis of the malware revealed that it was currently being used for cyber espionage and that it would infect computers to steal data and sensitive information. The stolen data would then be sent to one of Flame’s command & control (C&C) servers.


According to Symantec, the Flame malware also has a self-terminate feature, called SUICIDE, which can be used to remove the malware from the infected PC. The control of this, however lies in the hands of the people who developed the malware itself. The Flame malware has command and control servers that send updates to the infected PCs. In this case, the malware received updates that included removing of the Flame malware from the PCs. A file browse32.ocx was sent to each one of those PCs as well, which would be used to remove the tool. The module would then delete a whole bunch of files that were present on the Windows installation. Most of them were from the Program Files folder, while there were some that were placed in temporary folders across the drive. 

A new threat, Flame Virus

Flame to go up in flames?



This module is said to have been made on the 9th of May, a few weeks after the malware was found to be spreading on the web. The module may have been tested even before the malware was released on the web. 


Soon after the malware was discovered, Kaspersky Lab contacted CERTs in multiple countries to inform them about the Flame C&C domain information and IP addresses of the malicious servers. There were also some interesting notes that were released by Kaspersky Lab.


  • During the past 4 years, servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom and Switzerland.
  • The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008.
  • Infected users were registered in multiple regions, including the Middle East, Europe, North America and Asia-Pacific.
  • The Flame attackers seem to have a high interest in PDF, Office and AutoCad drawings.
  • The data uploaded to the Flame C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression.


If the actions are successful, we should soon have reports on the web of the effect of the Flame malware subsiding in the days and weeks to come.

Published Date: Jun 08, 2012 11:02 am | Updated Date: Jun 08, 2012 11:02 am