The title of this post is not a secret message and I am not intoxicated.<\/p>\n
UVWATAUAVAWH happens to be the most popular string extracted from all .exe, .dll and .sys OS files on my 64-bit Windows. The string is so popular and at the same time suspicious that if you google it you will find people theorizing about it having something to do with BSODs \/ being a part of some internal ZeroAccess secret language.<\/p>\n
If you convert the characters into hex:<\/p>\n
UVWATAUAVAWH<\/pre>\nyou will get a string of bytes like these:<\/p>\n
55 56 57 41 54 41 55 41 56 41 57 48<\/pre>\nand these can be also represented as opcodes:<\/p>\n
U - push\u00a0\u00a0\u00a0 rbp<\/pre>\nV - push\u00a0\u00a0\u00a0 rsi<\/pre>\nW - push\u00a0\u00a0\u00a0 rdi<\/pre>\nAT - push\u00a0\u00a0\u00a0 r12<\/pre>\nAU - push\u00a0\u00a0\u00a0 r13<\/pre>\nAV - push\u00a0\u00a0\u00a0 r14<\/pre>\nAW - push\u00a0\u00a0\u00a0 r15<\/pre>\nH - part of sub rsp, xxx opcode<\/pre>\nThe sequence is a very typical prologue for functions\u00a0 (64-bit code) – so typical that it is all over the place together with its variants (see below); the ‘vowelized’ properties of these strings remind me an interesting paper about shellcodes that look like English text<\/a>.<\/p>\n
UVWATAUAVAWH\r\nWATAUH\r\nWATAUAVAWH\r\nSUVWATAUAVAWH\r\nSUVWATH\r\nVWATAUAVH\r\nSUVWATAUH\r\nATAUAVH\r\nUSVWATAUAVAWH\r\nUVWATAUH\r\nSUVWATAUAVH\r\nSVWATAUAVAWH\r\nUSVWATH\r\nUSVWATAUH\r\nUSVWATAUAVH\r\nVWATAUAVAWH\r\nWAVAWH\r\nATAUAVAWH\r\nVWATAUAWH\r\nWATAVH\r\nUVWATAUAVH<\/pre>\n<\/p>\n","protected":false},"excerpt":{"rendered":"
The title of this post is not a secret message and I am not intoxicated. UVWATAUAVAWH happens to be the most popular string extracted from all .exe, .dll and .sys OS files on my 64-bit Windows. The string is so … Continue reading