Microsoft Malware Protection Center

Threat Research & Response Blog

August, 2013

  • Reversal of fortune: Sirefef’s registry illusion

    ​I have mentioned in a previous blog that the use of the right-to-left-override (U+202E) unicode character is nothing new. This blog also went on to show the various file name tricks used by malware. But now we see something different: the use of this trick by variants of the Sirefef family of malware. The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation. When a user installs an...
  • The original AppCompat (solving a 20-year-old mystery for me)

    DOS v5.0, released in 1991, introduced the concept of DOS loading "high". That is, into the high memory area - that special 64kb area at the top of the first megabyte of memory. As a result of this change, programs now loaded to a much lower address in memory than they did before. This change also exposed a previously unknown bug that exists in the code produced by certain versions of the Exepack utility, or Link* with the "/EXEPACK" option. The bug caused memory corruption, which usually resulted...