Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Winners of Bonus Points from Yesterday’s FTBM SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Winners of Bonus Points from Yesterday’s FTBM

Yesterday, Tom Liston posted his latest Follow the Bouncing Malware.  In it, he posed a question for extra credit, namely:

"Those of you with taped, horn-rimmed glasses who were in the AV club in Jr. High will note that the numbers assigned to o(0) look strangely familiar.  [They were 4d5a] They're the hex equivalents of the "magic values" that begin every program on the PC (extra-credit: anyone know what they stand for?)."

We had several readers point out the answer, but the first was Frank Knobbe:

"Actually, it is every MSDOS program. Every Portable Executable (PE) file starts with a header. The first two bytes is a 'magic' that identifies the file as an MSDOS executable. The magic is 0x5A4D which is MZ in ASCII. MZ are the initials of Mark Zbikowski, one of the original architects of MS-DOS. :)"

Tom described this as the ultimate in vanity-license-plate equivalents for geeks.  Indeed it is.  And, I might point out that the file encryption solution built into modern Windows systems is called?.

Signing out?

Edward Frank Skoudis

Intelguardians, www.intelguardians.com

Ed

57 Posts
Sep 23rd 2005

Sign Up for Free or Log In to start participating in the conversation!