Thursday, 31 May 2012

Latest Flame/W32 Malware protection released in market


Speculations about the ‘most sophisticated cyber weapon yet unleashed’ especially in the middle-east has remediation, exactly interpreting Newton’s Third Law of motion “For every action there is an equal and opposite reaction”. That’s why the antivirus giants are made for..!

Flame/W32 Malware

Cyber attacks are becoming increasingly sophisticated through programs that can operate many actions remotely without being detected easily. This Notice will illustrate the function of “Worm.W32/FLAME” a malware targeting Windows based systems (XP, Vista and Windows 7), presenting an incredible set of features that would capture sensitive information and send it to remote servers for criminal, espionage or other malicious activities.

I just reviewed our antivirus protection labs online which says that we are protected with this outbreak. I confirmed to my colleagues for not to be panic as that our infrastructure running McAfee ePO - McAfee DAT protection has taken care of this virus/malware coz. we were currently running 6727 Dat ver. released yesterday. The AV & ASpyware coverage for W32/Skywiper was included in 6726 version itself.

http://www.mcafee.com/us/about/skywiper.aspx << Mcafee Labs briefings
[AV / MWG Coverage is provided in the 6726 DATs released on May 29) as "Skywiper"]
http://blogs.mcafee.com/mcafee-labs/jumping-in-to-the-flames-of-skywiper


In a nutshell: (..also read my article about - Information Security Awareness)

Spreading method
The malware spreads via networks or removable media; it may also hold different names as described in a table in the Appendix B of this document.
Risks
The most direct and immediate risk highlighted by this event is the theft of sensitive information or records. In general, the risks are multiple when considering the number of existing or upgradeable functions that this malware allows to plug-in.
Detection
Watch carefully for the presence of the following files on your system:

1. Perform a search for the file ~DEB93D.tmp. Its presence on a system means that it either is or has been infected by Flame.


2. Check the registry key HKLM_SYSTEM\CurrentControlSet\Control\Lsa\ Authentication Packages.
    If you find mssecmgr.ocx or authpack.ocx in there - you are infected with Flame.

3. Check for the presence of the following catalogs. If present - you’re infected.
    C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr
    C:\Program Files\Common Files\Microsoft Shared\MSAudio
    C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl
    C:\Program Files\Common Files\Microsoft Shared\MSAPackages
    C:\Program Files\Common Files\Microsoft Shared\MSSndMix

4. Perform a search for the following files:
svchost1ex.mof
Svchostevt.mof
frog.bat
netcfgi.ocx
authpack.ocx
~a29.tmp
rdcvlt32.exe
to961.tmp
authcfg.dat
Wpab32.bat
ctrllist.dat
winrt32.ocx
winrt32.dll
scsec32.exe
grb9m2.bat
winconf32.ocx
watchxb.sys
sdclt32.exe
scaud32.exe
pcldrvx.ocx
mssvc32.ocx
mssui.drv
modevga.com
indsvc32.ocx
comspol32.ocx
comspol32.dll
browse32.ocx

Recommendations/Risk Mitigation
The following actions will help to contain and remove the infection of the malware:

·         Patch your Windows system, office applications and instant messenger applications

·         Update your antivirus/antimalware solution

·         Specific removal tools exist as vendors have started to deploy them. From McAfee Labs stinger tools are available here.

Virus detected by AV software
The malware can have various names and here is a list below with has been identified with different naming:

Antivirus          Result
AhnLab-V3       -
AntiVir             TR/Flamer.A
Antiy-AVL        -
Avast   -
AVG     -
BitDefender    Trojan.Flame.A
ByteHero         -
CAT-QuickHeal            -
ClamAV           -
Commtouch    -
Comodo           -
DrWeb             Win32.HLLW.Flame.1
Emsisoft          Worm.Win32.Flame!IK
eSafe   -
F-Prot -
F-Secure          Trojan.Flame.A
Fortinet           -
GData Trojan.Flame.A
Ikarus Worm.Win32.Flame
Jiangmin          -
K7AntiVirus     EmailWorm
Kaspersky        Worm.Win32.Flame.a
McAfee           SkyWiper
McAfee-GW-Edition    Artemis!BDC9E04388BD
Microsoft        Worm:Win32/Flame.gen!A
NOD32            Win32/Flamer.A
Norman           -
nProtect          Worm/W32.Flame.6166528
Panda -
PCTools           Malware.Flamer
Rising -
Sophos             W32/Flame-Gen
SUPERAntiSpyware     -
Symantec        W32.Flamer
TheHacker       -
TotalDefense   -
TrendMicro     WORM_FLAMER.A
TrendMicro-HouseCall           -
VBA32             BScope.Trojan.MTA.01233
VIPRE   Worm.Win32.Flame.a
ViRobot           Worm.Win32.S.Flame.6166528
VirusBuster     -

.. more Antivirus & Antispyware
.. more Antivirus Free recommended Downloads
Posted by ventej.blogspot.com at 10:18
Labels:

1 comments:

Anonymous said...

thanks for the update. we were partially infected. mcafee stinger tool helped us to stop this from spreading.

31 May 2012 at 12:18

Post a Comment

Subscribe to: Post Comments (Atom)