[Snort-users] Fizzer Virus Signature

Chris Keladis Chris.Keladis at ...6400...
Wed May 14 06:12:04 EDT 2003


Jeremy Junginger wrote:

> Many Thanks!  Also, could someone clarify what's going on with the |00|
> stuff?  I've seen it here and there, but don't really understand it.  I
> can see the obvious "Microsoft R Windows System Init" and "lservc.exe"
> (which looks strange, because it should be looking for iservc.exe AFAIK.
> Anyhow, thanks!

Windows for the most part, employs the Unicode character set.

Unicode has multi-byte representations of characters, so when displaying 
your normal ASCII characters represented as Unicode, the high-order (i 
think it was) bytes are set to 00.

If you look at most Windows protocols you will see the same thing going 
on. You can learn more about unicode from www.unicode.org




Regards,

Chris.





More information about the Snort-users mailing list