Malware corrupts its own filename? This is freaking me out.

I don't have the technical expertise of Paul, but I can make
Windows dance. This is new to me, never heard anything like it
before.

I have retrieved a client's file that is now sitting in a Windows
Explorer folder here on my computer. In the Windows (8.1) file
manager, the filename appears to be...

Video001_by_Hexe.mp4

Copied to WordPad, it looks like this...

Video001_by_H4pm.exe

Copied here to Xnews, it looks like this...

Video001_by_H?4pm.exe

Referring to the first filename stated above
(Video001_by_Hexe.mp4), in Windows Explorer...

Microsoft's file type is "Application".

When the filename is opened for editing, all characters before and
after the "exe" are highlighted. All of the filename, including
the "exe" is highlighted when Ctrl+A is pressed.

Virustotal results...

SHA256:
0e1e85d8d6cd3ed5264f22ab29480b658efda3e524cff27f25 5ab44b10d4b0ec
File name: Video001_by_H?4pm.exe
Detection ratio: 30 / 55

At this point, I guess the moral of the story is... Don't judge a
file by its filename. You must look at the file type as well.
Didn't used to be that way, AFAIK, all that mattered was the file
extension. Then again, Windows Explorer has seen some degradation
in these most recent versions.

I will be happy to ZIP the file and send it to anyone who provides
an email address. I'm assuming the file cannot cause any mischief
in that process.

Thanks for any respectful replies.

John Doe wrote:

the filename appears to be...

Video001_by_Hexe.mp4

Video001_by_H?4pm.exe

I'd say the latter is the correct name, where the ? is a unicode
right-to-left marker U+200F

so the string up to the H is displayed forwards then the "4pm.exe" is
displayed backwards looking like "exe.mp4" in apps that support unicode
fully, quite clever and the culprit is hoping the .exe isn't seen as
suspicious when it appears as part of "by_Hexe."

Also... When the filename is open for editing in Windows Explorer,
the left and right arrow keys behave oddly. The arrow keys work in
reverse when the cursor is in the "exe" part of the filename.

Andy Burns usenet.feb2014 adslpipe.co.uk wrote:

John Doe wrote:

the filename appears to be...

Video001_by_Hexe.mp4

That's its name in Windows (8.1) Explorer.

Video001_by_H?4pm.exe

I'd say the latter is the correct name,

Apparently the system agrees.

where the ? is a unicode right-to-left marker U+200F

That sounds plausible, as an instruction to read the following
text backwards.

so the string up to the H is displayed forwards then the
"4pm.exe" is displayed backwards looking like "exe.mp4" in apps
that support unicode fully,

Apparently my Windows Explorer does not support Unicode.

quite clever and the culprit is hoping the .exe isn't seen as
suspicious when it appears as part of "by_Hexe."

And the reason the "exe." part of the filename is not highlighted
when the filename is first opened for editing is because the
current Windows Explorer does not highlight the part of the
filename it sees as the extension.

I wrote:

Apparently my Windows Explorer does not support Unicode

To be clear... There, I'm talking about the display. I'm not
talking about the execution of programs.

John Doe wrote:

Apparently my Windows Explorer does not support Unicode

To be clear... There, I'm talking about the display. I'm not
talking about the execution of programs.

It partially supports unicode, I'm sure you could rename

notepad.exe to 记事本.exe

and still have it work, but there are all sorts of weird and wonderful
special characters in unicode, such as overstriking accents onto
preceding character, line separators, character variations and swapping
RTL/LTR order.

Andy Burns wrote:
John Doe wrote:

Apparently my Windows Explorer does not support Unicode

To be clear... There, I'm talking about the display. I'm not
talking about the execution of programs.

It partially supports unicode, I'm sure you could rename

notepad.exe to 记事本.exe

and still have it work, but there are all sorts of weird and wonderful
special characters in unicode, such as overstriking accents onto
preceding character, line separators, character variations and swapping
RTL/LTR order.


That's a new one on me. I never would have guessed...

Paul

On Mon, 22 Sep 2014 07:34:41 +0000 (UTC), John Doe
wrote:

Also... When the filename is open for editing in Windows Explorer,
the left and right arrow keys behave oddly. The arrow keys work in
reverse when the cursor is in the "exe" part of the filename.

That would support the suggestion by Andy Burns that the displayed
order of part of the filename is being reversed in order to conceal
the fact that it's really a .exe file and not a harmless video.

The buggers who write these things are getting more devious. I knew
about double extensions of the form "harmlesstextfile.txt.exe" which
rely on Windows Explorer not showing the final extension by default
(which I think is *still* the case with Windows 8), but I didn't know
about this Unicode trick. It needs to be more widely known.

Rod.

Roderick Stewart rjfs escapetime.myzen.co.uk wrote:

John Doe always.look message.header wrote:

talking about the filename "Video001_by_Hexe.mp4".

Also... When the filename is open for editing in Windows
Explorer, the left and right arrow keys behave oddly. The arrow
keys work in reverse when the cursor is in the "exe" part of the
filename.

That would support the suggestion by Andy Burns that the
displayed order of part of the filename is being reversed in
order to conceal the fact that it's really a .exe file and not a
harmless video.

So does the fact that when the file name is opened for editing
with F2, that backwards part of the filename "exe." is not
highlighted.

Microsoft's current file manager doesn't know enough to correctly
arrange the characters, but it still keeps from highlighting the
extension when it's opened for editing.

Looks like a bug in Windows Explorer.

And when Microsoft fixes that bug, it could fix other problems to
do with the navigation pane...

Prevent multiple items from being selected (one on the left and
one on the right) so that we know what's going to be deleted when
the Delete key is pressed. That might have to do with one's color
scheme, it is the case using a high contrast light on dark color
scheme.

Make the arrow keys fully functional for navigation so that using
an arrow key to move up or down works just like clicking on a
folder name, like it was in Windows XP. Highlighting a folder name
without displaying its contents on the right-hand side is useless.
It looks like code Microsoft didn't bother to finish when it
rewrote Windows Explorer.

"Somewhere, over the rainbow... la la la"





The buggers who write these things are getting more devious. I
knew about double extensions of the form
"harmlesstextfile.txt.exe" which rely on Windows Explorer not
showing the final extension by default (which I think is *still*
the case with Windows 8), but I didn't know about this Unicode
trick. It needs to be more widely known.

Rod.

On Mon, 22 Sep 2014 18:10:40 +0000 (UTC), John Doe
wrote:

Looks like a bug in Windows Explorer.

And when Microsoft fixes that bug, it could fix other problems to
do with the navigation pane...

Make the arrow keys fully functional for navigation so that using
an arrow key to move up or down works just like clicking on a
folder name, like it was in Windows XP. Highlighting a folder name
without displaying its contents on the right-hand side is useless.
It looks like code Microsoft didn't bother to finish when it
rewrote Windows Explorer.

I think that last one is corrected by Classic Shell, FWIW. I fully agree
that a 3rd party tool shouldn't need to fix such silly default behavior.

John Doe wrote:
Roderick Stewart rjfs escapetime.myzen.co.uk wrote:

John Doe always.look message.header wrote:

talking about the filename "Video001_by_Hexe.mp4".


Do you have a link to the download ?

I need a filename to experiment with, to
see if there's a better way to display the
filename.

Paul

Paul wrote:

Do you have a link to the download ?
I need a filename to experiment with

I've been playing (or trying to)
I think it's probably the U+202B character, I used openoffice writer and
included one via insert special, between the 3 and the 4 below.

123â�¯â€¯*â€*‬‫456

if you create a "test.exe" file somewhere, then rename it, which will
select just the "test" part of the name, and paste in the whole of the
line above s the name part, it will become

"123??????456.exe"

as seen from CMD, but look like

"123 exe.456"

with a small gap

Andy Burns usenet.feb2014 adslpipe.co.uk wrote:

Paul wrote:

Do you have a link to the download ? I need a filename to
experiment with

I've been playing (or trying to) I think it's probably the
U+202B character, I used openoffice writer and included one via
insert special, between the 3 and the 4 below.

123â�¯â€¯*â€*‬‫456

if you create a "test.exe" file somewhere, then rename it, which
will select just the "test" part of the name, and paste in the
whole of the line above s the name part, it will become

"123??????456.exe"

as seen from CMD, but look like

"123 exe.456"

with a small gap

You know how it's done but you cannot (exactly) reproduce it? That
must be one very smart hacker. Are you viewing the file in Windows
8.1 Explorer?

I won't upload it anywhere, Paul, but I will ZIP it and email it
if you provide an address. I'm assuming nothing happens to the
filename during the ZIP process. I'm also assuming that it will
bypass any virus checks along the way. Apparently it is seriously
infected.

John Doe wrote:
You know how it's done but you cannot (exactly) reproduce it?
That must be one very smart hacker.

I'm only curious, he probably got paid :-P

Are you viewing the file in Windows 8.1 Explorer?

Actually I'm using Win7 on this machine

Andy Burns usenet.feb2014 adslpipe.co.uk wrote:

Paul wrote:

Do you have a link to the download ? I need a filename to
experiment with

I've been playing (or trying to) I think it's probably the
U+202B character, I used openoffice writer and included one via
insert special, between the 3 and the 4 below.

123â�¯â€¯*â€*‬‫456

if you create a "test.exe" file somewhere, then rename it, which
will select just the "test" part of the name, and paste in the
whole of the line above s the name part, it will become

"123??????456.exe"

as seen from CMD, but look like

"123 exe.456"

with a small gap

All you have to do is tell me which editor to use (preferably
small), so that I can copy and paste the filename into that editor
to see the Unicode values, right?