Windows users, did you know that an <code>.exe</code> or <code>.bat</code> file can look like a <code>.jpg</code> or <code>.png</code> file with the <code>RLO</code> (right-to-left override) character?
Here are two examples:
A batch file like <code>comment_space-vs-gnp.bat</code> could look like an innocent PNG image like -&gt; <code>comment_space-vs-tab.png</code>
And an EXE like <code>luxury_picture_delugpj.exe</code> could seem ingenuous as an JPG picture -&gt; <code>luxury_picture_deluexe.jpg</code>
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1645268994323/mhM2qcnHN.png" alt="image.png" />
With an embedded icon the EXE would also look like a picture thumbnail.
How is this possible?
When renaming a file like <code>luxury_picture_delugpj.exe</code> in Windows -&gt; place the cursor where you want the rest of the file name to appear spelled backwards (like <code>luxury_picture_delu[CURSOR-HERE]gpj.exe</code>) -&gt; press the right mouse button -&gt; select Insert Unicode control character (sounds dodgy already, right?) -&gt; and hit RLO -&gt; press ENTER / save the file name -&gt; and it's DONE
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1645269504139/PRjlr3T6q.png" alt="image.png" />
The file name should now appear as in the 1st picture above: <code>luxury_picture_deluexe.jpg</code>. However, it is in fact still the very same EXE.
So, how to avoid getting screwed by an innocent looking ransomware, you may ask?
Simply and as ever before: NEVER TRUST FILE EXTENSIONS!
Plus: Some antivirus solutions might flag such RLO files as suspicious - so you might check out if yours does so.

Windows users, did you know that an ```.exe``` or ```.bat``` file can look like a ```.jpg``` or ```.png``` file with the ```RLO``` (right-to-left override) character?

Here are two examples:
A batch file like ```comment_space-vs-gnp.bat``` could look like an innocent PNG image like -> ```comment_space-vs-tab.png```

And an EXE like ```luxury_picture_delugpj.exe``` could seem ingenuous as an JPG picture -> ```luxury_picture_deluexe.jpg```

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645268994323/mhM2qcnHN.png)

With an embedded icon the EXE would also look like a picture thumbnail.

How is this possible?

When **renaming** a file like ```luxury_picture_delugpj.exe``` in Windows -> place the cursor where you want the rest of the file name to appear spelled backwards (like ```luxury_picture_delu[CURSOR-HERE]gpj.exe```) -> press the right mouse button -> select **Insert Unicode control character** (sounds dodgy already, right?) -> and hit **RLO** -> press ENTER / save the file name -> and it's DONE

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1645269504139/PRjlr3T6q.png)

The file name should now appear as in the 1st picture above: ```luxury_picture_deluexe.jpg```. However, it **is** in fact still the very same **EXE**.

So, how to avoid getting screwed by an innocent looking ransomware, you may ask?

Simply and as ever before: **NEVER TRUST FILE EXTENSIONS!**

Plus: *Some* antivirus solutions might flag such RLO files as suspicious - so you might check out if yours does so.

tobsec's blog

tobsec's blog

This Special Char Can Really SCREW You: RLO (right-to-left override)

You might want to find out how