Love You NO MORE...
May 8, 2000
by Marcin Policht
Even though it might sound like I'm getting a bit too personal, I am sure that after the recent events everyone knows that the topic will be VBScript based viruses.
Hundreds of thousands machines were hit with the malicious "I Love You" virus, which was simply a VBScript file, send as an attachment, capable of cleverly replicating itself and damaging all the files with extensions *.vbs , *.vbe, *.js, *.jse, *.css, *.wsh, *.sct, *.hta, *.jpg, *.jpeg, *.mp3, *.mp2. The irony is that the resulting chaos could have been easily avoided - and can be avoided in the future - and additionally without any anti-virus software. Here is how:
The attack was based on the assumption that typically an e-mail attachment is opened by double-clicking on it. This invokes a default behavior determined by attachment's extension, which in turn executes an application chosen to perform this action, usually with appropriate arguments. For VBScript and JScript files (with extensions *.vbs, *.vbe, *.js, *.jse, or *.wsh), double-clicking, by default, executes wscript.exe, which calls appropriate scripting engine and interprets and executes the attached script - including a malicious one like the LOVE-LETTER-FOR-YOU.txt.vbs
This can be changed - either indirectly by modifying File Type options from View menu in Windows Explorer or directly by editing the registry. For example, instead of script execution, default action will launch Notepad with the script in it.
One caveat though - remember that from this point on, every single time you want to run the script, you have to type the full command line from the Command Prompt or Run menu, e.g. "wscript.exe myscript.vbs"
How to implement this change on a couple of hundred machines at once? Well, how about using VBScript... The following alters the default behavior and creates association with Notepad.exe.
1. Create a file with *.vbs extension (e.g. LoveUNot.vbs), modify your logon
script so it includes the line
2. Place both in Repl$ share on your directory replication source, make sure they replicate to all NetLogon shares on all domain controllers and once users log on, problem is resolved.
This can also be done by using System Policies, but it would require creating
a custom template (*.adm) file.
On Error Resume Next
VBKey = "HKCR\JSEFile\Shell\Open\Command\"
Of course, your workstations must have wsh with VB Scripting Engine installed, but if
they hadn't you probably wouldn't be too concerned about
VBScript based viruses in the first place :-)