Flame virus

First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze.

Why big size makes harder detect?

The size doesn’t make it hard to detect it is hard to “analyze” because it has lots of modules included, which inturn means it’s complex and has more code to analyse/sift through, rather than more efficiently written smaller compact programs.

That’s not what it says. It says it makes it harder to analyze, meaning find out what the virus is doing. Because it is so big it takes a lot of time to check all the code and see what it does.


^^ what he said :wink:

Why is the program several MBs of code? What functionality does it have that could make it so much larger than Stuxnet? How come it wasn’t detected if it was that big?

The large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is small and focused. It’s easier to hide a small file than a larger module. Additionally, over unreliable networks, downloading 100K has a much higher chance of being successful than downloading 6MB.

Do you agree with that?


Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes Loading as part of Winlogon.exe and then injecting itself into explorer.exe and services

I don’t understand it. What is windows APC and its relationship to code injection? What about Winlogon.exe and injecting to explorer.exe ?

Using custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)

Does it mean it holds attack modules in database?

Thanks in advance!

Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability and spreads only when instructed to do so by the attackers.

Does it mean attackers spread of virus one by one?How attackers choose the next computer in order to attack?How they can understand this right choice? How can they limit?

They test
them against all popular antivirus engines to make sure they cannot be detected by signature files
or any other protection systems (behavioral and heuristic scanning, etc.)

What does “signature files” mean here?

May someone answer my questions please?

In this case, I would assume that it is a file with a hash code created to verify the legitimility of a document.

I would say it’s about tell tale files here; when a file with a certain name is found somewhere the virus scanner knows there’s a virus.

A signature file is used by an anti-virus checker. The file contains strings of code that are uniquely associated with known viruses.

Thank you very much! May you answer other questions?

No. I am not familiar with the Flame virus, so I cannot answer other questions.