5

So I've just downloaded torrent with one file in it - the formal name of file should be "123.avi.exe" (which is typical for viruses and trojans). Now, interesting thing is that name is encoded in UTF16-LE as following bytes:

FFFE3100320033002E002D202E202D202E206900760061002E00650078006500

which gives us strange, partially reversed over ".exe" text (try to move cursor left-to-right and you will be surprised):

123.‭‮‭‮iva.exe

But the bad part of all - is that utorrent showing non-suspicious ".avi" extension while when you double click it in GUI - it goes as as ".exe" and program runs.

You can test it yourself by creating dummy file with the name I wrote above. One more interesting thing - Total Commander prevents executing such file if it's name contains these special characters.

P.S. I've started similar thread on uTorrent tracker (not yet approved by moderator)

LSerni
  • 22,521
  • 4
  • 51
  • 60
Alek Depler
  • 163
  • 5

1 Answers1

13

The trick is the right-to-left override character. Languages such as Arabic write right-to-left instead of left-to-right. To embed such text in a string, you can switch the direction of the text, and that can help in hiding the real extension.

helloworld.<RLO>cod.exe

will be displayed as

helloworld.exe.doc

because the part after the RLO character is reversed.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102