According to our friends at Commtouch, malware using Right to Left Override (RLO) Unicode tricks have "resurfaced extensively in the past week". Unicode character (U+202E) "reverses" text for languages that are traditionally read from right to left, and it's a feature that can be used to obfuscate file names.

We examined a sample a few days ago.

Here's the archive file viewed in Windows:

We recently did an analysis on a trojan, AdSMS, that's been spreading for the last week or so and thought it might make an interesting contrast to the rash of trojanized Android apps that we've been seeing lately.

AdSMS is distributed via a malicious link in a spammed SMS message. The malware appears to be targeted to Android users in mainland China, as the SMS is faked up to look like it's from a major Chinese telecom network and the download link deliberately spoofs a domain name associated with the network.

We recently came across a ransom trojan that prompts the following:

"Windows license locked!"

The trojan claims that "you should complete activation" and provides several phones numbers.

We've been seeing a run of malware distributed via spammed e-mails in the last couple days.

The e-mail messages and the malware aren't particularly new. The message is fake and pretends to be related to a delivery service; attached to it is a disguised ZIP file containing a trojan-downloader.

If the ZIP file is run, what a user would see is:

For those of you that think every iPhone application must be approved by Apple's App Store guardians… think again.

Here's an application called SpoofCard:

SpoofCard allows smartphone users to spoof their caller ID. This is not exactly new. There was a bit of press coverage one year ago.

A clever spammer has discovered a Facebook vulnerability that allows for auto-replicating links. Until now, typical Facebook spam has required the use of some social engineering to spread.

But clicking on any of these application spam links is enough to "share" the application to the user's Wall.

See the search results below:

Last week, the lab identified a curious set of spammed malware; files signed with a valid Authenticode code signing certificate.

This is something we've seen before. But this case seemed odd because the contact information appeared very genuine. Usually a valid but malicious certificate uses clearly bogus or dubious details.

Here's the bad news: several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198).

But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit.

A World of Warcraft account could be a gold pot for phishers, depending on the player's achievement. In-game items are in demand and could be sold for real cash value, making WoW accounts a favorite phishing target.

An analyst from our Response Lab recently received an e-mail from Blizzard (the creator of WoW) asking for account verification. At a glance, the e-mail appeared to be coming from a legit source. Look at the "From" address. Nothing suspicious here.

Microsoft has updated Security Advisory 2286198 and it now clarifies that:

"The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed."

Displayed is the important keyword. This is good and addresses our earlier concerns.

However, the advisory still reads that: