vbs (virus) Protection

On May 4, 2000, the ILOVEYOU vbs trojan/virus was sent around the world as an email attachment named Love-Letter-For-You.txt.vbs. Unfortunately, most users have display file extensions disabled (the Microsoft braindead default) and the attachment was displayed as Love-Letter-For-You.txt. Since everyone knows that text files can not contain viruses, this thing was opened, extreme damage (estimated at $2 to $5 billion dollars) was done to hundreds of thousands of machines, and it emailed itself to everyone in the available address book(s).

Making matters worse, new variants were being produced faster than the virus protection software could be updated. It was reported that more than 10 variants have appeared in the first week of infection. As of January 14, 2002, Symantec was reporting 82 variants.

It appears that it is even possible to catch this by simply browsing an infected web page ... IF you are running Microsoft Internet Explorer and VBScript is enabled (another Microsoft braindead default).

This page describes how to change your system parameters so that the chance of accidentally executing a new variant is reduced to an acceptable level (ie, almost nil).

Visual Basic Script | Contributing Factors | The Fix | Detailed Instructions | mirc

Visual Basic Script

Microsoft Visual Basic Script (VBScript) is the latest replacement for MS DOS batch (.bat) files. As such, it allows you to write scripts which have almost the same capability as executables (.exe). This includes the ability to erase or modify files on your hard drive. It also includes to capability to run other programs.

In general, this is a good thing.

Specifically, a VBScript file is a text file containing program instructions and saved with a .vbs extension. The default action when you double click the file is to execute it (ie, to run the program).

You can get a small amount of protection by changing the default action to Edit in Notepad. However, some email clients (such as Outlook and Outlook Express) ignore the default action and perform the Open action instead. Microsoft has set the default Open action to Execute the program.

All Microsoft Windows systems do not have the VBScript interpreter loaded. It comes with the Microsoft email clients and perhaps with IE 5. You can test your system by clicking here. If the interpreter is loaded, then you should be prompted whether to run or save the program. Select Run and a small, 1 line program will display a dialog box with 3 buttons. (Press any button to close the dialog box.) Otherwise, if the interpreter is not installed, the program source will display in your browser.

Contributing Factors

There are several aspects of the MS Windows configuration that contributed to this problem.

The Fix - Disable VBScript

Well, obviously, VB Script is not an important part of anyone's system (my Windows 95 system does not even have it installed). Therefore, you can protect your system from vbs (Visual Basic Script) viruses by changing the default action for *.vbs files. This action will require modifying the registry (which Microsoft warns all users not to do).

Protecting your system from this problem is not as simple as just changing the vbs default action because MS Outlook executes the command associated with HKCR\VBSFile\shell\Open.

The basic procedure is to

These simple precautions should help protect you from this class of viruses, and you probably won't miss the ability to execute these "imbedded datafile programs".

Detailed Instructions

First, modifying the registry carries a small risk - if you make a mistake, you could make your system un-bootable. You might even loose data. However, these changes are safe, and if you follow the instructions the risk is minimal. After these changes are made, the default action when a vbs file is Opened in MS Outlook will be to open it in notepad. If you double click a vbs file in Windows Explorer, it will also open in notepad. If you need to execute a VBScript, right click it and select Execute VBScript.

Additional Changes

WScript.exe, the Windows Script Interpreter, may be used by several additional scripting languages. As a result, you will need to search the registry for references to it, and make similar changes as appropriate. The specific keys may vary depending on the version loaded. Some keys are Some sources list 7 keys total.

mirc (Microsoft Internet Relay Chat)

This trojan also infects mirc so that it automatically sends a copy of LOVE-LETTER-FOR-YOU.HTM to each person that joins any chat room that you are currently connected to. It does this by creating c:\mirc\script.ini containing the following
In the above code, the 's' in the word 'send' was changed to 's' - the html code for the letter 's'. Without this change, Norton Antivirus 7.5 incorrectly claims that this file contains the IRC.Worm.gen (Generic) virus and automatically deletes the file. How about that, if you simply write about a virus, Norton starts deleting your work. They even put out alerts to people viewing this page on the web warning them that this page contains a virus.

Obviously, this ini file and the related htm file need to be deleted.

Uh, according to Symantec, some of the variants send an html file with a different name.


Microsoft provides a detailed guide on the VBScript language.

www.symantec.com describes the ILOVEYOU virus (worm), lists 29 variants (as of 5-15-00), and lists the registry entries that are modified.

ZDNet use to provide fairly complete coverage of the LoveBug problem and instructions on how to completely disable VBScript. (Basically, from Windows Explorer, select View / Options... / File Types / VBScript Script File / Remove. There are slight variations for different versions of Windows.)

Configuring Windows Explorer describes various modifictions that make Windows Explorer much friendlier. This includes simple user interface modifications and various registry modifications.

Author: Robert Clemenzi
URL: http:// mc-computing.com / Parasites / VBScript_Fix.html