Unknown virus (maybe)

**karnevil9** · April 18th, 2002, 05:59 PM

.scr is the file extension for screen savers. There have been many cases where trojans or viruses have been delivered with a screen saver. The problem is that when you download a screen saver form the web and lauch it on your machine, the code will be executed with your user account and thus it can basically access every file that you can access.

This said, it is not recommended to download any screen savers from the net, but since you are going to download anyway, scan the files before using and do not run stuff that you received with e-mails (even if it came from a person you know).

...and moreover --> very many people are using their windows with a user account that belongs to administrators group. This makes it very easy for trojans and viruses to spread and do their stuff.

- karnevil9

**ii-monk** · April 18th, 2002, 06:09 PM

Originally posted here by imchaser
If your veiwing an http formatted email in plain text it will show you the http associated files, you know how people are adding background and such.

Yeah, but i don't risk it. I will try a scan.

**ii-monk** · April 19th, 2002, 05:00 PM

A guy or a automated service of an ISP sent me an e-mail:
The following message had attachment(s) which contained viruses:

>From : [email protected]
To : [email protected]
Subject : SQLMoreResults
Date : Fri, 19 Apr 2002 11:32:35 +0300 (EEST)
Message-ID: <[email protected]>

Attachment Virus name Action taken
------------------------------------------------------------------------------
cf1969111380.att Exploit.IFrame.FileDownloadRemoved
SQL.scr I-Worm.Klez.h Removed

It seems that there were an exploit and a worm.
We are talking about the worm called "I-Worm.Klez.h" or "W32/Klez". You can find more there:
http://www.sophos.com/virusinfo/articles/klezh.html
http://[email protected]
http://www.f-secure.com/v-descs/klez_h.shtml
http://www.kaspersky.com/news.html?id=560839
http://www.viruslist.com/eng/viruslist.html?id=4292
http://vil.nai.com/vil/content/v_99455.htm
http://www.norman.no/virus_info/w32_klez_g_mm.shtml
http://antivirus.about.com/library/weekly/aa041702a.htm
http://www.messagelabs.com/viruseye/threatlist.asp
http://www.wired.com/news/technolog...2,51949,00.html
AND on AO from other users:
http://www.antionline.com/showthread...hreadid=225999
and http://www.antionline.com/showthread...hreadid=226100 .

**Cojonudo** · April 19th, 2002, 07:01 PM

Karnevil wrote:
"scr is the file extension for screen savers. There have been many cases where trojans or viruses have been delivered with a screen saver. The problem is that when you download a screen saver form the web and lauch it on your machine, the code will be executed with your user account and thus it can basically access every file that you can access. "

If it where a *real* screen saver, ther would be no problem, but this kind of code its some sort of SOURCe of an script language that some maildisplayers recognize (like Outlook), I think its VisualBasic Or Javascript, not too sure, I remeber having used it myself sometime...
It´s weird thqat no Senior Member has pointewd that yet

(By the way, my mood is sad, because I'm not in the wargame)

**ii-monk** · April 19th, 2002, 07:47 PM

Thanks Cojonudo for your extra info about the .scr files.

**Ryan Nyquist** · April 19th, 2002, 11:00 PM

you should get an account at hotmail (www.hotmail.com). hotmail has a virus scanner (McAfee) that automatically scans attachments for viruses when you open them. if you have a hotmail account, open up an attachment and at the bottom of it it will say "Attachment automatically scanned for viruses using McAfee". its pretty cool for an e-mail place to have a built in virus scanner.

**karnevil9** · April 19th, 2002, 11:54 PM

I said this once, but I will say this again.

.SCR is the file extension for a screen saver. It is NOT a registrated file type for some script interpreter by default in Windows. For Java Script the extension is .JS and for VBScript it's .VBS. .SCR is executable code that is usually written in C++, but you could create screen savers with virtually any language.

Because it's executable code it will be executed and using your permissions.

About Outlook --> it's true that the Outlook does not always show the real file extension, if the file is named e.g. file.txt.exe or something. In this case Outlook might show file.txt which is obviously wrong and might trick user to click the file.

- karnevil9

**Info_Au** · April 20th, 2002, 02:04 AM

When i first joined this board there was discussion on how to stop these things happeing.!!
Here was a simple answer.........By "QUAD"
Remove "Cscript.exe" and "Wscript.exe" from Windows!!

Never caused any problems on my system by doing this too over the many months i had it removed.
Just a thought!!

**ii-monk** · April 20th, 2002, 10:40 AM

I never do everything people tell me. Even they have right.

**Undertaker02** · April 20th, 2002, 11:44 AM

extra note..

Windaz bloody default settings.. in Widoze Explorer, Tools, Folder Options
Select view..
remove the tick from "Hide extensions for known file types" if you've done this beaut mate.. if not do it now..

cheers

Thread: Unknown virus (maybe)

Thread Tools

Display

Posting Permissions