ServersLove You NO MORE...

Love You NO MORE…





by Marcin Policht

Even though it might sound like I’m getting a bit too personal, I am sure
that after the recent events everyone knows that the topic will be VBScript
based viruses. 

Windows NT/2000 columnist Marcin Policht has come up with a very effective solution to combat *.vbs type viruses without using anti-virus software. You definitely want to see this!

Hundreds of thousands machines were hit with the malicious “I Love
You” virus, which was simply a VBScript file, send as an attachment,
capable of cleverly replicating itself and damaging all the files with
extensions *.vbs , *.vbe, *.js, *.jse, *.css, *.wsh, *.sct, *.hta, *.jpg,
*.jpeg, *.mp3, *.mp2. The irony is that the resulting chaos could have been
easily avoided – and can be avoided in the future – and additionally without any anti-virus
software. Here is how:

The attack was based on the assumption that typically an e-mail attachment is
opened by double-clicking on it. This invokes a default behavior determined
by  attachment’s extension, which in turn executes an application chosen to
perform this action, usually with appropriate arguments. For VBScript and
JScript files (with extensions *.vbs, *.vbe, *.js, *.jse, or *.wsh),
double-clicking, by default, executes wscript.exe, which calls appropriate
scripting engine and interprets and executes the attached script – including a
malicious one like the LOVE-LETTER-FOR-YOU.txt.vbs 

This can be
changed – either indirectly by modifying File Type options from View menu in Windows
Explorer or directly by editing the registry. For example, instead of script execution,
default action will launch Notepad with the script in it.

One caveat though – remember that from this point on, every single time you want to run the script,
you have to type the full command line from the Command Prompt or Run menu, e.g.
“wscript.exe myscript.vbs”

How to implement this change on a couple of hundred machines at once? Well,
how about using VBScript… The following alters the default behavior and
creates association with Notepad.exe. 

1. Create a file with *.vbs extension (e.g. LoveUNot.vbs), modify your logon
script so it includes the line 
“wscript.exe LoveUNot.vbs”. 

2. Place both in Repl$ share on your directory replication source, make sure
they replicate to all NetLogon shares on all domain controllers and once users log
on, problem is resolved. 

This can also be done by using System Policies, but it would require creating
a custom template (*.adm) file.

And here is the content of the LoveUNot.vbs script (this is for Windows NT
machines, for Windows 9x, you’d have to modify the location of the Notepad.exe,
and change the type of the registry Data Type to REG_SZ):

 

On Error Resume Next


Set WShell=CreateObject(“WScript.Shell”)


VBKey = “HKCRJSEFileShellOpenCommand”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”
VBKey = “HKCRJSEFileShellOpen2Command”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”
VBKey = “HKCRJSFileShellOpenCommand”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”
VBKey = “HKCRJSFileShellOpen2Command”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”
VBKey = “HKCRVBEFileShellOpenCommand”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”
VBKey = “HKCRVBEFileShellOpen2Command”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”
VBKey = “HKCRVBSFileShellOpenCommand”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”
VBKey = “HKCRVBSFileShellOpen2Command”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”
VBKey = “HKCRWSFFileShellOpenCommand”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”
VBKey = “HKCRWSFFileShellOpen2Command”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”
VBKey = “HKCRWSHFileShellOpenCommand”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”
VBKey = “HKCRWSHFileShellOpen2Command”
WShell.RegWrite VBKey, “%SystemRoot%system32NOTEPAD.EXE “”%1″””, “REG_EXPAND_SZ”

 

Of course, your workstations must have wsh with VB Scripting Engine installed, but if
they hadn’t you probably wouldn’t be too concerned about
VBScript based viruses in the first place 🙂

Latest Posts

Related Stories