Malware corrupts its own filename? This is freaking me out.

John Doe wrote:

All you have to do is tell me which editor to use (preferably
small), so that I can copy and paste the filename into that editor
to see the Unicode values

I started off copying some example mixed LTR/RTL text from a wikipedia
Unicode article, then pasting it to rename a file in explorer, it didn't
behave quite as I expected

Pasting and tinkering in notepad didn't help much

So I used LibreOffice Writer which has its own equivalent of character
map built in, I tried the U+200F character then the U+202B, and copied
this name and pasted into explorer, it got some similar results where
the file extension "jumped left" to be apparently in the middle of the
filename

I've used the Neo Hex editor in the past for editing file contents,
maybe it's suitable for producing the unicode string to use as the name too.

Video001_by_H4pm.exe (Windows 8.1 Explorer)

Video001_by_H?4pm.exe (this Xnews editor)

Messing around with BabelPad...

Video001_by_H RIGHT-TO-LEFT OVERRIDE4pm.exe

Video001_by_H U+202E4pm.exe

If that isn't enough... If you have specific instruction on how to
manipulate the file name in BabelPad (or some editor of your
choice) so that it looks the way you want it, let me know.

I might go into Windows XP and see how it looks in that file
manager.

Not that it matters, but... Of course the Windows 8.1 Explorer
rendition is the same as in my original post...

Video001_by_Hexe.mp4

Not as shown in my prior post.

Following this post is an attachment. It might look like an
executable, but it's really just a harmless text file with the
malicious program's name. I promise...

In order to view the text file's contents, you can just rename it
as a text file. Or use your high tech editor.

Sorry, having a little trouble with filenames, as you might expect.

Take two...


John Doe wrote:

Following this post is an attachment. It might look like an
executable, but it's really just a harmless text file with the
malicious program's name. I promise...

In order to view the text file's contents, you can just rename it
as a text file. Or use your high tech editor.

Sorry, having a little trouble with filenames, as you might
expect.

Take two...


John Doe always.look message.header wrote:

In this post is an attachment. It might look like an executable,
but it's really just a harmless text file with the malicious
program's name. I promise...

In order to view the text file's contents, you can just rename
it as a text file. Or use your high tech editor.

Forget it, you guys don't need it anyway, especially now that you
have the exact Unicode.

Eternal September is giving me a "Binary Misplaced" error even
though it sends the text portion every time (without the binary).

Anyways... I can copy and paste that corrupt file name to a text
file name. It works exactly like you might think.

John Doe wrote:
Forget it, you guys don't need it anyway, especially now that you
have the exact Unicode.

Except we /don't/ have your exact filename, something seems to
"de-unicode" it en-route, replacing the U+20XX characters with question
marks.

Andy Burns usenet.feb2014 adslpipe.co.uk wrote:

John Doe wrote:

Forget it, you guys don't need it anyway, especially now that
you have the exact Unicode.

Except we /don't/ have your exact filename, something seems to
"de-unicode" it en-route, replacing the U+20XX characters with
question marks.

Okay...

I will try to put the number in enough different formats...

Video001_by_H U+202E4pm.exe

202E

202 E

In other words... The number 200 followed by E.

I can't imagine how it would corrupt "202E".

There should be no question marks in my reply.

Also, there should be no spaces in the filename in Windows
Explorer. At least there are none here.

In other words... The number 200 followed by E.

@#$!

As you can see, I'm not getting paid for this either...

John Doe wrote:

In other words... The number 200 followed by E.

@#$!

As you can see, I'm not getting paid for this either...

Hah! something else odd going on, probably LO specific

if I select and copy your filename, it pastes into notepad OK, but if I
try to paste into LO, what pastes is the previous thing in the clipboard
in LO not your filename ... that's the sort of odd effect I might expect
to see with MS office's multiple clipboard support.

Andy Burns wrote:

something else odd going on, probably LO specific

OK, now I have a "properly" misbehaving file, shows in a CMD window as
two question marks where the U+202E character is

rather than "by_Hexe" the malware author should have construed a
filename appearing to end with "annexe"

On 9/23/2014 12:50 PM, Andy Burns wrote:
Andy Burns wrote:

something else odd going on, probably LO specific

OK, now I have a "properly" misbehaving file, shows in a CMD window as
two question marks where the U+202E character is

rather than "by_Hexe" the malware author should have construed a
filename appearing to end with "annexe"


As far as I know, the more annoying malware
can replicate itself using different names in different locations.
There usually is a similarity between the different names.

Automatic removal may not work properly, and wild card searches
may or may not work completely. I had a bout with one earlier this year,
and ended up doing manual removal. (And changing all my passwords.)

Charlie cdknospam msn.com wrote:

Andy Burns wrote:
Andy Burns wrote:

something else odd going on, probably LO specific

OK, now I have a "properly" misbehaving file, shows in a CMD
window as two question marks where the U+202E character is

rather than "by_Hexe" the malware author should have construed
a filename appearing to end with "annexe"

As far as I know, the more annoying malware can replicate itself
using different names in different locations. There usually is a
similarity between the different names.

Automatic removal may not work properly, and wild card searches
may or may not work completely. I had a bout with one earlier
this year, and ended up doing manual removal. (And changing all
my passwords.)

Making complete backups of your Windows C drive solves all your
problems (including that one).

John Doe used his keyboard to write :
Charlie cdknospam msn.com wrote:

Andy Burns wrote:
Andy Burns wrote:

something else odd going on, probably LO specific

OK, now I have a "properly" misbehaving file, shows in a CMD
window as two question marks where the U+202E character is

rather than "by_Hexe" the malware author should have construed
a filename appearing to end with "annexe"

As far as I know, the more annoying malware can replicate itself
using different names in different locations. There usually is a
similarity between the different names.

Automatic removal may not work properly, and wild card searches
may or may not work completely. I had a bout with one earlier
this year, and ended up doing manual removal. (And changing all
my passwords.)

Making complete backups of your Windows C drive solves all your
problems (including that one).

I have been doing systematic images of my operating system since
Win2000 and find it is the easiest way of solving either malware or
virus infection. If I think either one of these has gotten onto my
computer I can wipe the partition and replace an image in about 20
minutes and be back to work with no further problems. This seems to me
to be the best protection that money cannot buy. :-)

Norm