{ "id": "b3de9da4-e549-4e03-b668-2c67d4c0f193", "created_at": "2026-04-06T00:10:18.751168Z", "updated_at": "2026-04-10T03:21:51.217568Z", "deleted_at": null, "sha1_hash": "6d39015a030908b2c78d818000c958cc0ba38508", "title": "Malware Trying to Avoid Some Countries", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35679, "plain_text": "Malware Trying to Avoid Some Countries\r\nBy Pierre-Marc Bureau\r\nArchived: 2026-04-05 17:58:44 UTC\r\nMalware\r\n15 Jan 2009  •  , 2 min. read\r\nThere are different techniques that can be used by a program to identify in which country it has been installed.  It\r\ncan check for time zone information, public IP addresses or even domain names.  Lately, we have seen two\r\ndifferent malware families trying to discover their geographic location in an effort to avoid infecting PCs in\r\nspecific countries.\r\nWe have found some variants of the The Win32/TrojanDownloader.Swizzor using the following code:\r\ncall    GetSystemDefaultLangID ; Indirect Call Near Procedure\r\n[...]\r\nmov     edi, eax\r\n[...]\r\ncmp     di, 419h\r\njz      end_function\r\nThis code calls the GetSystemDefaultLangID function and compares the result to a constant, 0x419.  Browsing\r\nthrough MSDN documentation reveals that this constant's value translates to LANG_RUSSIAN.  It turns out that\r\nthese variants of Win32/TrojanDownloader.Swizzor will exit before infecting a computer, if they find out that the\r\ndefault system language is Russian.\r\nWe have also identified the following code in the earliest variants of the Win32/Conficker malware:\r\npush    edi             ; lpList\r\npush    esi             ; nBuff\r\ncall    ebx ; GetKeyboardLayoutList\r\ncmp     esi, eax\r\njnz     short list_not_found\r\ndec     esi\r\ncmp     word ptr [edi+esi*4], 422h\r\njz      short dont_install\r\nHere, the malware tries to retrieve a list of keyboard layouts and works through   that list.  If a layout is found with\r\nthe language identifier of 0x422, the routine terminates  and the malware is not installed.  This means that some\r\nvariants of the Win32/Conficker family will not install on a computer that uses an Ukrainian keyboard layout. \r\nhttps://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/\r\nPage 1 of 2\n\nPlease note that this behavior is only present in W32/Conficker.A.   Later variants of this malware infect any PC\r\nthey can access without checking the keyboard layout.\r\nWhat we are seeing now is probably the beginning of a new trend.  Malware authors will try to avoid infecting\r\nPCs in specific countries to limit the risk of legal actions taken against them.  In most countries, there often needs\r\nto be a victim or complaint before law enforcement agencies  take legal action against an offender in cases of\r\nmalware infection.  In cases where an attacker only targets victims outside of his country, it is much harder for law\r\nenforcement agencies to take action.\r\nSpecial thanks to Sebastien Doucet and Volodymyr Pikhur for their help.\r\nPierre-Marc Bureau\r\nResearcher\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/\r\nhttps://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/" ], "report_names": [ "malware-trying-to-avoid-some-countries" ], "threat_actors": [], "ts_created_at": 1775434218, "ts_updated_at": 1775791311, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d39015a030908b2c78d818000c958cc0ba38508.pdf", "text": "https://archive.orkl.eu/6d39015a030908b2c78d818000c958cc0ba38508.txt", "img": "https://archive.orkl.eu/6d39015a030908b2c78d818000c958cc0ba38508.jpg" } }