(C++) Infection by Localisation by Thomas Roccia

Created the Tuesday 13 December 2022. Updated 1 month, 2 weeks ago.

Description:

In this code, the IsLanguageInstalled function is used to check if the specified language, indicated by its LCID (Language Code Identifier), is installed on the system. In this case, the malware could check the languages installed on a Windows machine and not run if Russian is present.

Code

            #include <Windows.h>
#include <winreg.h>

#define LANG_KEY "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language"
#define RUSSIAN_LCID 1049

// Check if the specified LCID is installed on the system
bool IsLanguageInstalled(LCID lcid)
{
  HKEY hKey;
  if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, LANG_KEY, 0, KEY_READ, &hKey) == ERROR_SUCCESS)
  {
    DWORD dwIndex = 0;
    WCHAR szValueName[32];
    DWORD dwValueNameLen = sizeof(szValueName);
    while (RegEnumValue(hKey, dwIndex++, szValueName, &dwValueNameLen, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
    {
      LCID lcidValue = _wtoi(szValueName);
      if (lcidValue == lcid)
      {
        RegCloseKey(hKey);
        return true;
      }
    }
    RegCloseKey(hKey);
  }
  return false;
}

int main()
{
  if (IsLanguageInstalled(RUSSIAN_LCID))
  {
    // Russian language is installed, do not run malware
    return 0;
  }
  else
  {
    // Russian language is not installed, run malware
    // ...
  }
  return 0;
}