The operators of the highly advanced Flame virus activated a self-destruct mechanism over the weekend, removing any traces of the virus from infected computers they managed to control.
Analysts from security software giant Symantec released a statement saying the virus included a module called Suicide, which could have enabled the virus to delete itself. However, it was a different module, browse32.ocx, that was activated to perform the self-delete. According to the analysts, browse32.ocx was downloaded onto the infected computers only recently — its most recent version is dated May 9.
"It locates every file on the disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection. This component contains a routine to generate random characters to use in the overwriting operation. It tries to leave no traces of the infection behind," one analyst said.
The writing of random characters prevent any possible trace and recovery of the deleted file. Normally, when Windows deletes data it does not actually erase it, but instead marks it as free to be written over; it is only actually deleted when something is written over it. This means that recovery programs can often restore deleted data.
The browse32.ocx function erases the contents of files and then writes a sequence of random characters in their place to thwart any form of recovery.
After being exposed in May, the Flame virus was referred to as the most advanced virus of all time by analysts at cyber security firm Kaspersky.
Various media outlets claimed that a virus of that level of sophistication could not be engineered by a group of hackers, but was a product of a government-backed project.
One senior Kaspersky analyst said earlier this month that Flame was "20 times more advanced" than Stuxnet, the cutting-edge virus that managed to sabotage centrifuges in Iran's nuclear facilities last year and was also suspected of having been developed with government backing.