I have mentioned in a previous blog that the use of the right-to-left-override (U+202E) unicode character is nothing new. This blog also went on to show the various file name tricks used by malware.
But now we see something different: the use of this trick by variants of the Sirefef family of malware. The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation.
When a user installs an enterprise version of Google Chrome the application sets the following entries in the registry for the Google update service.
There appears to be two "gupdate" registry entries. The real Google update entry is marked in the image above. There are now two entries in the services list which are almost identical, including the description of the service:
