Malware able to infect only right handed people

I’m not kidding, the title is right.

Among all the windows settings there’s one made for left handed people. The option I’m referring to is located under the Mouse control panel, labelled “Switch primary and secondary buttons”. It lets you exchange the functions performed by the right and left mouse button. Don’t know if this setting is usefull or not, most of the left handed friends I have are still using the mouse like a right handed. Maybe they don’t even know the existence of such an option. Anyway, look at this code:

It’s a simple query on a registry key named SwapMouseButtons.
result_value is sent back to the caller, and the caller checks the value. If the value is equal to 0×30 (right handed) the malware goes on running the rest of the code, but if the value is 0×31 (left handed) the malware ends immediately. All the nasty things performed by the malware are executed after this check, it means that a left handed won’t get infected!

I’ve seen some malwares using SwapMouseButton function in the past, but never something like that. I bet the author is left handed and he wrote the check just to be sure to avoid a possible infection… I can’t think of anything else. Quite funny!!!

asaperlo Says:

June 23, 2008 at 11:32 pm

did you find that piece of code in one
of the latest worms that spreads via MSN ?

zairon Says:

June 24, 2008 at 12:34 am

Yes, I’m pretty sure but I should check.
May I ask you why? Did you find the same code?

bw Says:

June 24, 2008 at 9:51 am

I’m left handed and im using my right hand for mouse navi, to be honest I’ve never seen anyone using his mouse with the left hand…

June 24, 2008 at 4:55 pm

yes i found the same code :)
I also found a strange/bugged implementation
of RC4 used to encrypt/decrypt the strings:
In the loop for generating the stream the author seem to have done something like this:

for(int i=0; i < len; i++) {
i = i % 256;
..

instead of
i = (i + 1) % 256;

dont know yet if its a feature or a bug ;)
what do you think ?

June 24, 2008 at 8:42 pm

Yes *asaperlo*, you are right about RC4 implementation. The code is bugged if and only if the author wanted to implement RC4 algorithm otherwise we’ll have to study a new crypto algo :p
Joking apart, it seems to be RC4, atleast looking at the initialization part of the crypto algo; I think it’s a oversight but it’s pretty strange. There are some more funny things inside the malware (strange code implementation, virtual machine check), more in the next days… stay tuned.

Charity Says:

June 16, 2009 at 2:58 pm

Solution from Orbasoft.
If you own a computer, you must have antispyware to keep it running at its best. The problem is choosing a scan that works. I have tried many different types of scans in the past and then I ran across Orbasoft Antispyware. I have to say that the antispyware solution from Orbasoft is the best that I have used to date. It gets the job done and keeps my computer working like new. If you are interested in seeing for yourself just how good this antispyware works you can click on http://www.orbasoft.com to learn more. I’m sure it would be worth your time to check it out.

My infected computer