If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
I don't have the technical expertise of Paul, but I can make
Windows dance. This is new to me, never heard anything like it before. I have retrieved a client's file that is now sitting in a Windows Explorer folder here on my computer. In the Windows (8.1) file manager, the filename appears to be... Video001_by_Hexe.mp4 Copied to WordPad, it looks like this... Video001_by_H4pm.exe Copied here to Xnews, it looks like this... Video001_by_H?4pm.exe Referring to the first filename stated above (Video001_by_Hexe.mp4), in Windows Explorer... Microsoft's file type is "Application". When the filename is opened for editing, all characters before and after the "exe" are highlighted. All of the filename, including the "exe" is highlighted when Ctrl+A is pressed. Virustotal results... SHA256: 0e1e85d8d6cd3ed5264f22ab29480b658efda3e524cff27f25 5ab44b10d4b0ec File name: Video001_by_H?4pm.exe Detection ratio: 30 / 55 At this point, I guess the moral of the story is... Don't judge a file by its filename. You must look at the file type as well. Didn't used to be that way, AFAIK, all that mattered was the file extension. Then again, Windows Explorer has seen some degradation in these most recent versions. I will be happy to ZIP the file and send it to anyone who provides an email address. I'm assuming the file cannot cause any mischief in that process. Thanks for any respectful replies. |
Ads |
#2
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
John Doe wrote:
the filename appears to be... Video001_by_Hexe.mp4 Video001_by_H?4pm.exe I'd say the latter is the correct name, where the ? is a unicode right-to-left marker U+200F so the string up to the H is displayed forwards then the "4pm.exe" is displayed backwards looking like "exe.mp4" in apps that support unicode fully, quite clever and the culprit is hoping the .exe isn't seen as suspicious when it appears as part of "by_Hexe." |
#3
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
Also... When the filename is open for editing in Windows Explorer,
the left and right arrow keys behave oddly. The arrow keys work in reverse when the cursor is in the "exe" part of the filename. |
#4
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
Andy Burns usenet.feb2014 adslpipe.co.uk wrote:
John Doe wrote: the filename appears to be... Video001_by_Hexe.mp4 That's its name in Windows (8.1) Explorer. Video001_by_H?4pm.exe I'd say the latter is the correct name, Apparently the system agrees. where the ? is a unicode right-to-left marker U+200F That sounds plausible, as an instruction to read the following text backwards. so the string up to the H is displayed forwards then the "4pm.exe" is displayed backwards looking like "exe.mp4" in apps that support unicode fully, Apparently my Windows Explorer does not support Unicode. quite clever and the culprit is hoping the .exe isn't seen as suspicious when it appears as part of "by_Hexe." And the reason the "exe." part of the filename is not highlighted when the filename is first opened for editing is because the current Windows Explorer does not highlight the part of the filename it sees as the extension. |
#5
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
I wrote:
Apparently my Windows Explorer does not support Unicode To be clear... There, I'm talking about the display. I'm not talking about the execution of programs. |
#6
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
John Doe wrote:
Apparently my Windows Explorer does not support Unicode To be clear... There, I'm talking about the display. I'm not talking about the execution of programs. It partially supports unicode, I'm sure you could rename notepad.exe to 记事本.exe and still have it work, but there are all sorts of weird and wonderful special characters in unicode, such as overstriking accents onto preceding character, line separators, character variations and swapping RTL/LTR order. |
#7
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
Andy Burns wrote:
John Doe wrote: Apparently my Windows Explorer does not support Unicode To be clear... There, I'm talking about the display. I'm not talking about the execution of programs. It partially supports unicode, I'm sure you could rename notepad.exe to 记事本.exe and still have it work, but there are all sorts of weird and wonderful special characters in unicode, such as overstriking accents onto preceding character, line separators, character variations and swapping RTL/LTR order. That's a new one on me. I never would have guessed... Paul |
#8
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
On Mon, 22 Sep 2014 07:34:41 +0000 (UTC), John Doe
wrote: Also... When the filename is open for editing in Windows Explorer, the left and right arrow keys behave oddly. The arrow keys work in reverse when the cursor is in the "exe" part of the filename. That would support the suggestion by Andy Burns that the displayed order of part of the filename is being reversed in order to conceal the fact that it's really a .exe file and not a harmless video. The buggers who write these things are getting more devious. I knew about double extensions of the form "harmlesstextfile.txt.exe" which rely on Windows Explorer not showing the final extension by default (which I think is *still* the case with Windows 8), but I didn't know about this Unicode trick. It needs to be more widely known. Rod. |
#9
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
Roderick Stewart rjfs escapetime.myzen.co.uk wrote:
John Doe always.look message.header wrote: talking about the filename "Video001_by_Hexe.mp4". Also... When the filename is open for editing in Windows Explorer, the left and right arrow keys behave oddly. The arrow keys work in reverse when the cursor is in the "exe" part of the filename. That would support the suggestion by Andy Burns that the displayed order of part of the filename is being reversed in order to conceal the fact that it's really a .exe file and not a harmless video. So does the fact that when the file name is opened for editing with F2, that backwards part of the filename "exe." is not highlighted. Microsoft's current file manager doesn't know enough to correctly arrange the characters, but it still keeps from highlighting the extension when it's opened for editing. Looks like a bug in Windows Explorer. And when Microsoft fixes that bug, it could fix other problems to do with the navigation pane... Prevent multiple items from being selected (one on the left and one on the right) so that we know what's going to be deleted when the Delete key is pressed. That might have to do with one's color scheme, it is the case using a high contrast light on dark color scheme. Make the arrow keys fully functional for navigation so that using an arrow key to move up or down works just like clicking on a folder name, like it was in Windows XP. Highlighting a folder name without displaying its contents on the right-hand side is useless. It looks like code Microsoft didn't bother to finish when it rewrote Windows Explorer. "Somewhere, over the rainbow... la la la" The buggers who write these things are getting more devious. I knew about double extensions of the form "harmlesstextfile.txt.exe" which rely on Windows Explorer not showing the final extension by default (which I think is *still* the case with Windows 8), but I didn't know about this Unicode trick. It needs to be more widely known. Rod. |
#10
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
On Mon, 22 Sep 2014 18:10:40 +0000 (UTC), John Doe
wrote: Looks like a bug in Windows Explorer. And when Microsoft fixes that bug, it could fix other problems to do with the navigation pane... Make the arrow keys fully functional for navigation so that using an arrow key to move up or down works just like clicking on a folder name, like it was in Windows XP. Highlighting a folder name without displaying its contents on the right-hand side is useless. It looks like code Microsoft didn't bother to finish when it rewrote Windows Explorer. I think that last one is corrected by Classic Shell, FWIW. I fully agree that a 3rd party tool shouldn't need to fix such silly default behavior. |
#11
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
John Doe wrote:
Roderick Stewart rjfs escapetime.myzen.co.uk wrote: John Doe always.look message.header wrote: talking about the filename "Video001_by_Hexe.mp4". Do you have a link to the download ? I need a filename to experiment with, to see if there's a better way to display the filename. Paul |
#12
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
Paul wrote:
Do you have a link to the download ? I need a filename to experiment with I've been playing (or trying to) I think it's probably the U+202B character, I used openoffice writer and included one via insert special, between the 3 and the 4 below. 123 **456 if you create a "test.exe" file somewhere, then rename it, which will select just the "test" part of the name, and paste in the whole of the line above s the name part, it will become "123??????456.exe" as seen from CMD, but look like "123 exe.456" with a small gap |
#13
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
Andy Burns usenet.feb2014 adslpipe.co.uk wrote:
Paul wrote: Do you have a link to the download ? I need a filename to experiment with I've been playing (or trying to) I think it's probably the U+202B character, I used openoffice writer and included one via insert special, between the 3 and the 4 below. 123 **456 if you create a "test.exe" file somewhere, then rename it, which will select just the "test" part of the name, and paste in the whole of the line above s the name part, it will become "123??????456.exe" as seen from CMD, but look like "123 exe.456" with a small gap You know how it's done but you cannot (exactly) reproduce it? That must be one very smart hacker. Are you viewing the file in Windows 8.1 Explorer? I won't upload it anywhere, Paul, but I will ZIP it and email it if you provide an address. I'm assuming nothing happens to the filename during the ZIP process. I'm also assuming that it will bypass any virus checks along the way. Apparently it is seriously infected. |
#14
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
John Doe wrote:
You know how it's done but you cannot (exactly) reproduce it? That must be one very smart hacker. I'm only curious, he probably got paid :-P Are you viewing the file in Windows 8.1 Explorer? Actually I'm using Win7 on this machine |
#15
|
|||
|
|||
Malware corrupts its own filename? This is freaking me out.
Andy Burns usenet.feb2014 adslpipe.co.uk wrote:
Paul wrote: Do you have a link to the download ? I need a filename to experiment with I've been playing (or trying to) I think it's probably the U+202B character, I used openoffice writer and included one via insert special, between the 3 and the 4 below. 123 **456 if you create a "test.exe" file somewhere, then rename it, which will select just the "test" part of the name, and paste in the whole of the line above s the name part, it will become "123??????456.exe" as seen from CMD, but look like "123 exe.456" with a small gap All you have to do is tell me which editor to use (preferably small), so that I can copy and paste the filename into that editor to see the Unicode values, right? |
Thread Tools | |
Display Modes | Rate This Thread |
|
|