From: Chris Robinson 

Ah right.  Thanks for the info.

Chris.

"Geo." wrote:

> It would most likely do that if it were a mapped share, with just a share on
> some machine on the network a lot of the virus won't even know it's there
> let alone try using the current login on it (usually the ones that search
> empty space assume they are searching the internet).
>
> Geo.
>
> "Chris Robinson" 
wrote in message
> news:3F0062BF.92FB3FA0{at}NOSPAMtotalise.co.uk...
> > Yeh, I'll add some of these things I think - thanks.  Surely though, a
> virus that
> > propogated via network shares would go to a PC even if the Guest account
> was
> > dissabled.  If the PC that sends it the virus is logged onto our network
> then
> > that PC has full access to this share - so it would write to it...
> wouldn't it?
> >
> > Chris.
> >
> > John Beckett wrote:
> >
> > > Chris Robinson  wrote
in message
> > > news::
> > > >  I just wanted to set something up with an open share
so I know if
> anything
> > > > like this happens again.
> > >
> > > Yes, but on NT4, if you don't enable Guest with a blank password, then
> if
> > > there is a network-share-probing virus, your honeypot will
probably NOT
> > > detect it. These kinds of viruses are pretty primitive so
far. They are
> > > looking for shares that can be written by an anonymous
(Guest) user, or
> by
> > > Administrator with one of a limited number of guessed passwords (e.g.
> > > "admin" or "password").
> > >
> > > Probably a more scientific approach would be to run Snort
(which detects
> > > any suspicious network activity), or enable auditing on your
NT machine.
> > > Log failed logon attempts and failed write attempts to the shared
> folder.
> > >
> > > Attempts to access the share with an unknown user or
incorrect password
> > > would appear in the Security log of Event Viewer.
> > >
> > > John
> >

--- BBBS/NT v4.01 Flag-4