Access Denied: .vbs Virus Protection

When a new VBScript (.vbs) virus appears, antivirus vendors need time to produce a new signature for it. I need even more time to update users' machines, especially traveling users' laptops. What methods can I use to protect users against .vbs viruses?

A .vbs virus such as VBS.LoveLetter is simply a .vbs script that the attacker sends as an email attachment. Despite warnings, users persist in opening attachments without thinking. When users open the .vbs attachment, Windows graciously executes the script because of the default file associations in Windows Explorer. By default, the open action for .vbs files is associated with WScript, the Windows Script Host (WSH). To greatly reduce how quickly .vbs viruses spread, I recommend that you delete these associations.

To delete the default associations, open Windows Explorer and choose Tools, Folder Options. Click File Types, then find the .vbs file type, as Figure 1 shows. Next, click Advanced and edit the Open action. As Figure 2 shows, .vbs files automatically execute with wscript.exe when you open them. Either delete this action or change it to something safer, such as Notepad. You should also disable the Open2 method, which runs the script with cscript.exe, the command-line version of WSH. I recommend that you take similar action for Work Station Function (WSF), WSH, Visual Basic Editor, Microsoft JScript, and JScript Editor (JSE) file types, which are also associated with WSH. This action doesn't disable WSH for legitimate inhouse-developed scripts—you can still run scripts by explicitly executing wscript.exe or cscript.exe with the script file's name. However, you need to change any shortcuts or batch files in which you simply state the script's name and rely on the file-type mapping to automatically execute the script.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish