News and Views

From my kids accomplishments, to my heretical perspective of the world

News and Views header image 2

RLO (Right to Left Override)

August 30th, 2011 · 4 Comments

I received an email this morning that looked like spam — Xerox_Document.zip. Looking inside the zip file was a file like this:
  Xerox_Scan_phyexe.doc

Looks like a Word document, right? NOT! The sender used something called “Right to Left Override”. It was originally implemented to support languages such as Arabic that write right to left. If the code is inserted in the middle of a string, the following letters are reversed. So if you could see the RLO character, it would look like this:

  Xerox_Scan_phy[RLO]exe.doc

and if you removed the RLO, you would see the real name like this:

  Xerox_Scan_phycod.exe

Clearly an executable program, and that’s how Windows would interpret it if you tried to open it. It would then install trojans, viruses or other malware on your computer and you would have a mess.

Here’s another example.

So that’s a warning. If you get a file you aren’t expecting, even if it looks like a harmless Word document, an Excel spreadsheet, a .jpg picture, or even a .txt text file, don’t willy-nilly open it. The bad guys are getting better at hiding their evil intent. Check with the sender first to make sure they really did send you something, and that it is safe.

Tags: Computers, Tech & Science

4 responses so far ↓

  • 1 Donna // Aug 30, 2011 at 4:29 pm

    Very interesting, and scary! Thanks for the heads up. I never open something that is not from someone I know, but you never know when a friend might get caught on something like this and forward it on. It’s always best to be well informed.

  • 2 Richard // Aug 31, 2011 at 7:00 am

    Thanks for the explanation and examples. Do you know who sent you this? Are you using gmail to wash your mail, not that they would catch this?

  • 3 Richard // Aug 31, 2011 at 7:01 am

    Also, how about any of the AV programs. Would any of them catch this kind of thing?

  • 4 Daryl // Sep 1, 2011 at 9:34 am

    I don’t know who it came from — it was just a bogus return address.

    I am not using gmail, just SpamAssassin on the server. It catches most things.

    When I tried to open the file in a text editor to examine it, Microsoft Security Essentials raised a flag about it, said it was a trojan. I don’t know if other AV programs would have caught it.

    Interestingly, at the same time when I tried to open the “.doc” file in a text editor, Windows asked if I wanted to execute it. That was my first clue that something strange was going on. Why would Windows try to execute a .doc file?