To access shares.
Win 98
Goto start > Run
Type "Explorer" into field (without quotes)
If any of the drives have a Blue hand holding the icon, then it is shared.
Simply right click on it and select sharing.
Printable View
To access shares.
Win 98
Goto start > Run
Type "Explorer" into field (without quotes)
If any of the drives have a Blue hand holding the icon, then it is shared.
Simply right click on it and select sharing.
http://www.pc-help.org/news/scriptworm.htm
This link explains how worms works
scrsvr.exe is spreading in exactly the same fashion
I don't have this bugger yet but I've been doing some searches on it. A couple of things I've found indicate it's propagating thru the NetBEUI port (port 139). Manually closing this port supposedly stops it. Another trick is to create a fake scrsvr.exe text file in your C:/windows folder. I'm running w2k so I suppose I would put it in C:/WINNT. (correct me if I'm wrong here)
I haven't had to deal with it yet so these are untested by me.
I created a fake scrsvr.exe file in windows folder and made it read only. Worked for me. :)
The file uses a hard coded c:\windows\scrsvr.exe path so you won't get it under 2k.Quote:
Originally posted by DVOM
I'm running w2k so I suppose I would put it in C:/WINNT. (correct me if I'm wrong here)
Just curious. Did you recently just download a trial version of a screen saver? Could the screen saver be trying to call home for some registration purposes?
Edit: Very good IMM my bad 2:39am toronto, ontario.
viralmenace The subject is this worm
http://securityresponse.symantec.com...serv.worm.html
It would be a strange way to register - installing itself on any other machine it can :)
IMM, thanks for that. I was just trying to figure out how to protect our w2k network at work. Apparently I don't have to. The only 98 machine we've got doesn't have any shares set.
PLEASE NOTE
Although it works for this virus when you create a read only file called scrsvr.exe in your windows directory, it won't work for future viruses. YOU ARE BETTER TO REMOVE THE SHARES, MAKE THEM READ ONLY OR DEPENDS ON PASSWORD.
All it takes is for someone to recomplie this virus to use a different filename and all you people who created the read only scrsvr.exe file are shafted.
This is from http://service2.symantec.com/SUPPORT...00091415173339
---------
If you do not want to disable file and print sharing
1. Double-click My Computer on the Windows desktop.
2. Right-click drive C, and click Sharing. If you do not see Sharing, stop here.
3. Look at Sharing status:
If Not Shared is checked, stop here.
If Shared As is checked, we recommend that you disable this option by checking
Not Shared.
If you must share this volume, then under Access Type check either Read-Only or
Depends on Password.
You can create separate passwords for read-only and full access. Give the Full
Access Password only to those who need it.
For all other shared files and folders, make sure Access Type is set appropriately.
---------
Never share the root (unless you REALLY know how to protect it).
ACK !!!! I ran samantec's fix it found the thing and repaired it. But I stillset a boot up message asking for the scrsvr.exe. I checked the reg and win.ini file also and found nothing. An y ideas how to stop windows from asking for this file ?
Do Start > Run > Win.ini
You will find the EXE on the Run= line
Replace it by just
Run=
Save, exit and reboot
As I said I had already done that I ended up doing this fix thanks to a previous post fromTufenuf I obtained this fix here http://www.computing.net/security/ww...orum/2430.html
Reboot to DOS Type in: Edit and then Press Enter
(If you have a good boot disk this will bring up a small application that will allow you to make a fake scrsvr file and keep the virus from duplicating itself again.)
A blue screen will appear. Press Alt and F at the same time. Use your arrow keys to move down and highlight Save As in the menu that appears. Press Enter.
Type in: scrsvr.exe in the window that appears next. Then use Tab to get to the Save button and press Enter again.
Then you're back to the blue screen. Once again Press Alt and F at the same time. Use your arrow keys to move down and highlight Exit in the menu that appears. Press Enter.
You should now be back to the black and white screen.
Type in: attrib +r c:\windows\scrsvr.exe
Press enter. The fake scrsvr you created now can't be deleted or overwritten by the virus. You're done in Dos, so turn off your computer, remove the boot disk, and reload to Windows.
You will probably see a little message saying "You are using Selective startup for troubleshooting". Just click the check box on this and click ok so that you won't have to see it anymore. It is just talking about the first step you did when you changed MSCONFIG.
Open Notepad (look for it in your Start Menu, under Programs > Accessories).
Click on the File menu, then on Open. A window pops up. Next to "Files of Type" at the bottom of the screen, click on the down arrow and select "All Files". Then browse your computer to get into the Windows folder on C drive. Find a file called Win.ini and open it. On my computer there was a line near the top that was set to load scrsvr.exe when the computer started. It looked like "C:\Windows\scrsvr.exe" and I just deleted it right out of there. Then click File, and Save. Exit this program.
Click on Start button again, then on Run. Type in REGEDIT and hit enter. Click on the Edit menu in the window that comes up, and then on Find. Type in scrsvr in the box and then click on Find Next button. It will locate scrsvr in your Registry, all you have to do is right click on it and delete it. Close this window when you're done.
Thanks again Tufenuf.:D