According to Lordian Mosuela, a researcher with Israel's Commtouch, the Right-to-left-override (RLO) unicode control character allows hackers to hide executable code as other types of file names.
The RLO technology is normally used to right-to-left languages such as Arabic or Hebrew, but is now being exploited by cybercriminals in their bid to get users to click on apparently innocuous files.
In an example of `CORP_INVOICE_08.14.2011_Pr.phylexe.doc' Mosuela says that the actual file name is `CORP_INVOICE_08.14.2011_Pr.phylcod.exe' or, in other words, an executable file.
“This will definitely mislead recipients who will then execute the malicious file”, he says, adding that the virus in this example comes up as a Bredolab variant.
“Keeping your anti virus definitions up to date and avoiding suspicious attachments, even if they are from someone you trust, will protect you from malware such as this” he notes in his latest security posting.