Snort mailing list archives
Re: Fizzer Virus Signature
From: Chris Keladis <Chris.Keladis () cmc optus net au>
Date: Wed, 14 May 2003 20:40:27 +1000
Jeremy Junginger wrote:
Many Thanks! Also, could someone clarify what's going on with the |00| stuff? I've seen it here and there, but don't really understand it. I can see the obvious "Microsoft R Windows System Init" and "lservc.exe" (which looks strange, because it should be looking for iservc.exe AFAIK. Anyhow, thanks!
Windows for the most part, employs the Unicode character set.Unicode has multi-byte representations of characters, so when displaying your normal ASCII characters represented as Unicode, the high-order (i think it was) bytes are set to 00.
If you look at most Windows protocols you will see the same thing going on. You can learn more about unicode from www.unicode.org
Regards, Chris. ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fizzer Virus Signature Jeremy Junginger (May 13)
- <Possible follow-ups>
- Fizzer Virus Signature Jeremy Junginger (May 13)
- Re: Fizzer Virus Signature Chris Keladis (May 14)
- RE: Fizzer Virus Signature L. Christopher Luther (May 13)
- RE: Fizzer Virus Signature operator (May 14)
- Re: Fizzer Virus Signature Jason Haar (May 14)