[Snort-users] Fizzer Virus Signature
Chris.Keladis at ...6400...
Wed May 14 06:12:04 EDT 2003
Jeremy Junginger wrote:
> Many Thanks! Also, could someone clarify what's going on with the |00|
> stuff? I've seen it here and there, but don't really understand it. I
> can see the obvious "Microsoft R Windows System Init" and "lservc.exe"
> (which looks strange, because it should be looking for iservc.exe AFAIK.
> Anyhow, thanks!
Windows for the most part, employs the Unicode character set.
Unicode has multi-byte representations of characters, so when displaying
your normal ASCII characters represented as Unicode, the high-order (i
think it was) bytes are set to 00.
If you look at most Windows protocols you will see the same thing going
on. You can learn more about unicode from www.unicode.org
More information about the Snort-users