This particular DLL component of the Flame threat is designed to locate various files in the system, read their contents and populate the SQL database with the file contents and characteristics. In addition, this file is capable of collecting geographical identification metadata that may be present in the files it inspects.
The string decryptor is slightly different this time:
void decrypt(int result, int iCount)
{
int i1, i2, i3, i4;
i1 = result;
if (iCount)
{
i2 = 11 - result;
do
{
i3 = i1 + i2;
i4 = i3 + 12;
result = i3 * i4;
*(BYTE *)i1 -= result ^ ((i3 * i4) >> 8) ^
((i3 * i4) >> 16) ^ ((i3 * i4) >> 24);
++i1;
--iCount;
}
while (iCount);
}
}
void Decrypt3(LPBYTE lpBuffer)
{
if (lpBuffer[16]) // 16th byte is a flag "encrypted"
{
decrypt((int)(lpBuffer + 20), (int)lpBuffer[18]);
// 18th byte is the string size
// 20th byte is where encrypted bytes start
lpBuffer[16] = 0; // clear "encrypted" flag (16th byte)
}
}
BYTE szTest3[] =
{
0xA7,0xC9,0xDF,0xF8,0x30,0x0C,0x52,0x9D,0x0C,0x7F,0xB5,0x32,0x2B,0x05,0xC6,0x08,
0x05,0xD5,0x26,0x00,0x74,0x21,0xA5,0x6D,0x0B,0xC1,0x54,0x1E,0xB0,0x82,0x24,0xEE,
0xA0,0x63,0xFF,0xDF,0x7A,0x64,0x03,0xE8,0x9F,0x85,0x3E,0x1A,0xD0,0xC6,0x73,0x6B,
0x34,0x28,0xD6,0xD4,0x96,0xA9,0x78,0x66,0x42,0x4B,0x00,0x00,0x68,0xB8,0xE7,0x8A,
0x23,0x51,0x36,0x5C,0xCD,0xC3,0x4D,0xE4,0xF2,0xE5,0xCC,0xA3,0x00
};
Decrypt3(szTest3);
A7 C9 DF F8 30 0C 52 9D 0C 7F B5 32 2B 05 C6 | ....0.R....2+..
08 00 D5 26 00 77 00 61 00 77 00 68 00 61 00 | ...&.w.a.w.h.a.
6D 00 7A 00 61 00 61 00 62 00 6F 00 76 00 65 | m.z.a.a.b.o.v.e
00 61 00 72 00 61 00 62 00 69 00 63 00 | .a.r.a.b.i.c.
INSERT INTO Media (Type, MediumDescription) VALUES ('%s', '%s')
SELECT State FROM Pst_States WHERE FileName=? AND Size=%u AND LastModification=%I64d
'alefhamzabelowfinalarabic'
or 'alefqamatshebrew'
. This table is used to convert Postscript glyph names into Unicode codes - presumably to be able to parse the content of Adobe PDF documents written in Unicode Character Entities, such as Hebrew or Arabic.HKLM\SOFTWARE\KasperskyLab\AVP6
HKLM\SOFTWARE\KasperskyLab\protected\AVP7
.text:100C5DE8 sub_100C5DE8 proc near
.text:100C5DE8 push offset aGps_latitude ; "GPS_LATITUDE"
.text:100C5DED call decrypt_string
.text:100C5DF2 pop ecx
.text:100C5DF3 push eax
.text:100C5DF4 push offset GPS_LATITUDE
.text:100C5DF9 call copy_string
.text:100C5DFE push offset sub_100F32F8
.text:100C5E03 call _atexit
.text:100C5E08 pop ecx
.text:100C5E09 retn
.text:100C5E09 sub_100C5DE8 endp