SASFIS Trojan disguised by clever technique

A cleverly disguised variant of SASFIS – the infamous Trojan that makes it possible for your computer to be further infected with any number of different malware (including the ZeuS Trojan and various fake AV variants) – has been spotted by a TrendLabs engineer in an email spam run.

The Trojan is packed in a .rar attachment, seemingly containing a .xls file. The name of the file – when stripped of the Chinese characters contained in it – is apparently phone&mail).rcs.xls, but the Win32 binary header (which, by the way, only executable files possess) tells another story:

The real name of the file is phone&mail).[U+202e}slx.scr. The U+202e part is a unicode control character that makes the text written after it be rendered from right to left, making the file look like a harmless Excel file when it’s actually a malicious executable .scr file.

Other file names have also been obfuscated using the right-to-left override technique: BACKSTAB.SWF and I-LOVE-YOU-XOXEXE.TXT were actually BACKS[U+2020e]FWS.BAT and I-LOVE-YOU-XOX[U+2020e]TXT.EXE – a malicious batch file and executable, respectively.

The good news is that you can avoid getting infected in this way if you just exercise a little caution when checking your email and refrain from opening unsolicited and suspect emails, and the attachments contained in them.