To complete the ruse, the downloader was one of several compressed files -- crunched into the "cabinet," or ".cab" file format -- bundled into the single Windows Update.
Once the downloader was installed it retrieved a copy of Flame from the already-infected PC and uses it to compromise the computer.
This complex spreading technique only added to researchers' grudging respect for the threat.
"As we continue our investigation ... more and more details appear [that show] this is one of the most interesting and complex malicious programs we have ever seen," said Alexander Gostev, who leads Kaspersky's research and analysis team, in a Monday blog entry.
Microsoft has revoked three certificates generated by the attackers, making further spoofing of Windows Update files impossible on patched PCs unless there are more rogue certificates in the wild. The company has also blocked others from cranking out new code-signing certificates.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.