The Kaspersky condition in Petya is indeed unusual, but I would agree with the initial blog post that right now there isn't enough information to make even an educated guess. Kaspersky isn't just popular in Russia, it's consistently a top 3 world-wide, both for individual users and for businesses.
While I appreciate and even sometimes enjoy speculation such as this for fun, I agree with the F-Secure blog post that it is not useful in the current situation as there just isn't enough evidence to develop anything more than wild guesses.
But it is also banned in Ukraine, where most targets were.
Anti-virus would be a brilliant way to gain access to millions of machines, send back "sample" files via specific user targeted updates...
If so (and again I'm starting this sentence with IF), being lenient on Kaspersky would have dual benefits of focusing the target Ukraine, provide a "cure" for any critical machines hit in Russia, and allow existing Kaspersky users to recover once the cure is known.
The Interesting thing here is if this was a trial run, I don't think you get another one. If there is another bit of malware that treads lightly on Kaspersky machines, or "accidentally" fails to activate on them then the gig is up.
Still speculation, but will be interesting to follow.
During malware initialization phase, this malware maintains a global variable that dictates its behavior. It alters its behavior based on the presence of processes related to certain antivirus applications running in the system.
Specifically, it looks for names of processes belonging to Kaspersky Antivirus and Symantec Antivirus and alters its behavior if it finds them.
Information controlling threats behavior is stored in a global variable (gConfig in the screenshots), which is then used to check during MBR modification.
If Kaspersky Antivirus process is found in the system or if the MBR infection is unsuccessful, the malware then proceeds to destroy the first 10 sectors of the hard drive.