We help IT Professionals succeed at work.

Virus attack

CL
CL asked
on
Anyone come across .scr screensaver malware/trojanq this virus?

How can i clean it..
Comment
Watch Question

David Johnson, CDSimple Geek from the '70s
Distinguished Expert 2019

Commented:
.scr is a renamed .exe that is normally used by screen savers
boot the machine from a install disk and go to repair/command prompt
and then search and delete the file.
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2019

Commented:
Anyone come across .scr screensaver malware/trojanq this virus?
Impossible to tell by extension

Generally, an SCR is an application written with the appropriate methods to make it a screensaver. As per above some EXE can be renamed to SCR and will be triggered when the screensaver's settings trigger.

Malware writers leverage this by setting the screensaver to launch the malicious EXE.

Reading your subject suggests a file was attached. If you want to see what virus it is, instead submit it to
http://www.virustotal.com/
virustotal.png
bbaoIT Consultant

Commented:
as clarified above by other experts, .SCR is just a filename extension for Windows Screensaver, which basically is an executable file in EXE format. technically, any EXE file can be renamed and loaded as a screensaver though the file is not intended to behave that way.

yes, traditionally .SCR file is a way for some virus to hide as the filename extension is not that sensitive for most average Windows end users. but technically the two things (SCR and virus) are not related at all.

if you are worried about having some virus hidden specifically in SCR files, you may scan them using any up-to-date anti-virus software, or remove any non-Microsoft SCR files especially those with an invalid Microsoft certificate.
Commented:
Just to give an update, installed sophos intercept x it detect the *.SCR.

It able to detect the *.SCR file but the particular folder is keep generating the *scr extension file and Sophos keep detect -> clean -> delete.

Probably need to find out the source, else need to restore the server data.

Anyway thanks for all the advice and sharing..