“exe” read backwards spells “malware”

RIGHT TO LEFT OVERRIDE (RLO) is a unicode control character (U+202E) that reverses the character reading order from the traditional left-to-right, to right-to-left. This is mainly used for right-to-left languages (such as Arabic or Hebrew). We reported this trick last year but it has resurfaced extensively in the past week to trick users into opening malware executables. Malware uses RLO to reverse the direction of text in a filename. This can make an “exe” file appear to be a harmless “doc” file. 

These new variants of the Bredolab virus are distributed via emails that have a subject line similar to “inter-company invoice”. A sample:

The attached zip file contains an executable which has a filename that appears to be:

“CORP_INVOICE_08.14.2011_Pr.phylexe.doc”

Seems harmless enough right? You can see how the filename is displayed in Winzip and in Windows Explorer below.

The RLO control character is not displayed. It is placed just before the part of the filename “exe.doc”. Therefore the actual filename is:

“CORP_INVOICE_08.14.2011_Pr.phylcod.exe”

This will definitely mislead recipients who will then execute the malicious file.

Command antivirus detects this malware as W32/Bredolab.IF. Keeping your antivirus definitions up to date and avoiding suspicious attachments, even if they are from someone you trust, will protect you from malware such as this.