dcsimg

Love You NO MORE...

By ServerWatch Staff (Send Email)
Posted May 8, 2000


by Marcin Policht

Even though it might sound like I'm getting a bit too personal, I am sure that after the recent events everyone knows that the topic will be VBScript based viruses. 

Windows NT/2000 columnist Marcin Policht has come up with a very effective solution to combat *.vbs type viruses without using anti-virus software. You definitely want to see this!

Hundreds of thousands machines were hit with the malicious "I Love You" virus, which was simply a VBScript file, send as an attachment, capable of cleverly replicating itself and damaging all the files with extensions *.vbs , *.vbe, *.js, *.jse, *.css, *.wsh, *.sct, *.hta, *.jpg, *.jpeg, *.mp3, *.mp2. The irony is that the resulting chaos could have been easily avoided - and can be avoided in the future - and additionally without any anti-virus software. Here is how:

The attack was based on the assumption that typically an e-mail attachment is opened by double-clicking on it. This invokes a default behavior determined by  attachment's extension, which in turn executes an application chosen to perform this action, usually with appropriate arguments. For VBScript and JScript files (with extensions *.vbs, *.vbe, *.js, *.jse, or *.wsh), double-clicking, by default, executes wscript.exe, which calls appropriate scripting engine and interprets and executes the attached script - including a malicious one like the LOVE-LETTER-FOR-YOU.txt.vbs 

This can be changed - either indirectly by modifying File Type options from View menu in Windows Explorer or directly by editing the registry. For example, instead of script execution, default action will launch Notepad with the script in it.

One caveat though - remember that from this point on, every single time you want to run the script, you have to type the full command line from the Command Prompt or Run menu, e.g. "wscript.exe myscript.vbs"

How to implement this change on a couple of hundred machines at once? Well, how about using VBScript... The following alters the default behavior and creates association with Notepad.exe. 

1. Create a file with *.vbs extension (e.g. LoveUNot.vbs), modify your logon script so it includes the line 
"wscript.exe LoveUNot.vbs". 

2. Place both in Repl$ share on your directory replication source, make sure they replicate to all NetLogon shares on all domain controllers and once users log on, problem is resolved. 

This can also be done by using System Policies, but it would require creating a custom template (*.adm) file.

And here is the content of the LoveUNot.vbs script (this is for Windows NT machines, for Windows 9x, you'd have to modify the location of the Notepad.exe, and change the type of the registry Data Type to REG_SZ):

 

On Error Resume Next

Set WShell=CreateObject("WScript.Shell")

VBKey = "HKCR\JSEFile\Shell\Open\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"
VBKey = "HKCR\JSEFile\Shell\Open2\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"
VBKey = "HKCR\JSFile\Shell\Open\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"
VBKey = "HKCR\JSFile\Shell\Open2\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"
VBKey = "HKCR\VBEFile\Shell\Open\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"
VBKey = "HKCR\VBEFile\Shell\Open2\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"
VBKey = "HKCR\VBSFile\Shell\Open\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"
VBKey = "HKCR\VBSFile\Shell\Open2\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"
VBKey = "HKCR\WSFFile\Shell\Open\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"
VBKey = "HKCR\WSFFile\Shell\Open2\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"
VBKey = "HKCR\WSHFile\Shell\Open\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"
VBKey = "HKCR\WSHFile\Shell\Open2\Command\"
WShell.RegWrite VBKey, "%SystemRoot%\system32\NOTEPAD.EXE ""%1""", "REG_EXPAND_SZ"

 

Of course, your workstations must have wsh with VB Scripting Engine installed, but if they hadn't you probably wouldn't be too concerned about VBScript based viruses in the first place :-)

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.