You probably know Microsoft issued security advisory KB2718704 to revoke Microsoft certificates present in the certificate chain of a signed Flame component.
Here are some screenshots of the signature of this Flame component (WuSetupV.exe).
Before revocation:
After revocation:
Didier Stevens 
I would like to know how someone could stolen a digital certificate from Microsoft..
Comment by MARCELO CARVALHO (@mfcarva) — Monday 4 June 2012 @ 19:24
@mfvarca It wasn’t stolen. Here’s what Microsoft wrote in the blogpost I linked to:
What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure.
Comment by Didier Stevens — Monday 4 June 2012 @ 19:34
I hope so
Comment by MARCELO CARVALHO (@mfcarva) — Monday 4 June 2012 @ 19:41
Could you please make the SSL certificate(s) available?
I would like to check what hashing function was used.
I notice that your 3rd screenshot mentions md5RSA, so i suppose that the collision Microsoft mentions in http://blogs.technet.com/b/msrc/archive/2012/06/04/security-advisory-2718704-update-to-phased-mitigation-strategy.aspx is with md5.
Comment by elhoim — Tuesday 5 June 2012 @ 10:25
@elhoim I’ve send you an e-mail.
Comment by Didier Stevens — Tuesday 5 June 2012 @ 11:40
[…] seems to be some interest in the Authenticode signature used in some components of Flame that chain up to Microsoft’s root CA. So I decided to post the full dump of this signature. I extracted the signature from WuSetupV.exe […]
Pingback by Flame Authenticode Dumps (KB2718704) « Didier Stevens — Wednesday 6 June 2012 @ 9:37