vbs (virus) Protection

On May 4, 2000, the ILOVEYOU vbs trojan/virus was sent around the world as an email attachment named Love-Letter-For-You.txt.vbs. Unfortunately, most users have display file extensions disabled (the Microsoft braindead default) and the attachment was displayed as Love-Letter-For-You.txt. Since everyone knows that text files can not contain viruses, this thing was opened, extreme damage (estimated at $2 to $5 billion dollars) was done to hundreds of thousands of machines, and it emailed itself to everyone in the available address book(s).

Making matters worse, new variants were being produced faster than the virus protection software could be updated. It was reported that more than 10 variants have appeared in the first week of infection. As of January 14, 2002, Symantec was reporting 82 variants.

It appears that it is even possible to catch this by simply browsing an infected web page ... IF you are running Microsoft Internet Explorer and VBScript is enabled (another Microsoft braindead default).

This page describes how to change your system parameters so that the chance of accidentally executing a new variant is reduced to an acceptable level (ie, almost nil).

Visual Basic Script | Contributing Factors | The Fix | Detailed Instructions | mirc
References

Visual Basic Script

Microsoft Visual Basic Script (VBScript) is the latest replacement for MS DOS batch (.bat) files. As such, it allows you to write scripts which have almost the same capability as executables (.exe). This includes the ability to erase or modify files on your hard drive. It also includes to capability to run other programs.

In general, this is a good thing.

Specifically, a VBScript file is a text file containing program instructions and saved with a .vbs extension. The default action when you double click the file is to execute it (ie, to run the program).

You can get a small amount of protection by changing the default action to Edit in Notepad. However, some email clients (such as Outlook and Outlook Express) ignore the default action and perform the Open action instead. Microsoft has set the default Open action to Execute the program.

All Microsoft Windows systems do not have the VBScript interpreter loaded. It comes with the Microsoft email clients and perhaps with IE 5. You can test your system by clicking here. If the interpreter is loaded, then you should be prompted whether to run or save the program. Select Run and a small, 1 line program will display a dialog box with 3 buttons. (Press any button to close the dialog box.) Otherwise, if the interpreter is not installed, the program source will display in your browser.

Contributing Factors

There are several aspects of the MS Windows configuration that contributed to this problem.

The word Open has an indeterminate meaning. In this case, it means to execute the program. In other cases, it means to view the contents of a file.
The MS Windows default is to hide file extensions. In some email clients, the file test.txt.vbs is displayed as test.txt giving the impression that it is just a harmless text file ... and everyone knows that it is always safe to Open a text file.
The default action when you double click a *.vbs file is to Open it, which in this case means to execute it. Well, these are programs, so it makes sense to execute them, right?

The Fix - Disable VBScript

Well, obviously, VB Script is not an important part of anyone's system (my Windows 95 system does not even have it installed). Therefore, you can protect your system from vbs (Visual Basic Script) viruses by changing the default action for *.vbs files. This action will require modifying the registry (which Microsoft warns all users not to do).

Protecting your system from this problem is not as simple as just changing the vbs default action because MS Outlook executes the command associated with HKCR\VBSFile\shell\Open.

The basic procedure is to

Check in the registry for HKCR\.VBS. If that doesn't exist, then you don't currently have the problem. However, you need to perform this check after loading any Microsoft product, particularly Exchange or Outlook (email). (I haven't verified this with Exchange yet.)
Modify the default values under HKCR\VBSFile\Shell. Change Edit to Edit in Notepad; Open to Execute or Run Program; and make Edit in Notepad the default action.
This is the tricky part, MS Outlook Express ignores the default action and runs the command associated with the open key. Therefore, you MUST also rename the keys so that open becomes something like openxx and edit becomes open.

These simple precautions should help protect you from this class of viruses, and you probably won't miss the ability to execute these "imbedded datafile programs".

Detailed Instructions

First, modifying the registry carries a small risk - if you make a mistake, you could make your system un-bootable. You might even loose data. However, these changes are safe, and if you follow the instructions the risk is minimal.

Start regedit.exe
Navigate to and expand the HKEY_CLASSES_ROOT\VBSFile\Shell key
aka HKCR\VBSFile\Shell
You should see 4 sub-keys - Edit, Open, Open2, Print,
Rename the first 2 sub-keys by right clicking them and selecting Rename
Change the default values for these same 2 keys. First, click on the key to highlight it, then double click the the word (Default). Simply type in the new values and press Enter (or click OK).
The default value is what is displayed in the pop-up menu displayed when you right click a vbs file. The ampersand (&) causes the letter following it to be underlined.
Close regedit.

Key	Old Value	New Value
Open	&Edit	&Edit in Notepad
Open1	&Open	&Execute VBScript

After these changes are made, the default action when a vbs file is Opened in MS Outlook will be to open it in notepad. If you double click a vbs file in Windows Explorer, it will also open in notepad. If you need to execute a VBScript, right click it and select Execute VBScript.

Additional Changes

WScript.exe, the Windows Script Interpreter, may be used by several additional scripting languages. As a result, you will need to search the registry for references to it, and make similar changes as appropriate. The specific keys may vary depending on the version loaded. Some keys are

Reg Key	Extension
HKCR\JSFile		.js
HKCR\WSHFile		.wsh

Some sources list 7 keys total.

mirc (Microsoft Internet Relay Chat)

This trojan also infects mirc so that it automatically sends a copy of LOVE-LETTER-FOR-YOU.HTM to each person that joins any chat room that you are currently connected to. It does this by creating c:\mirc\script.ini containing the following

[script]
;mIRC Script
;  Please dont edit this script... mIRC will corrupt, if mIRC will
     corrupt... WINDOWS will affect and will not run correctly. thanks
;
;Khaled Mardam-Bey
;http://www.mirc.com
;
n0=on 1:JOIN:#:{
n1=  /if ( $nick == $me ) { halt }
n2=  /.dcc send $nick C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM
n3=}

In the above code, the 's' in the word 'send' was changed to 's' - the html code for the letter 's'. Without this change, Norton Antivirus 7.5 incorrectly claims that this file contains the IRC.Worm.gen (Generic) virus and automatically deletes the file. How about that, if you simply write about a virus, Norton starts deleting your work. They even put out alerts to people viewing this page on the web warning them that this page contains a virus.

Obviously, this ini file and the related htm file need to be deleted.

Uh, according to Symantec, some of the variants send an html file with a different name.

References

Microsoft provides a detailed guide on the VBScript language.

www.symantec.com describes the ILOVEYOU virus (worm), lists 29 variants (as of 5-15-00), and lists the registry entries that are modified.

ZDNet use to provide fairly complete coverage of the LoveBug problem and instructions on how to completely disable VBScript. (Basically, from Windows Explorer, select View / Options... / File Types / VBScript Script File / Remove. There are slight variations for different versions of Windows.)

Configuring Windows Explorer describes various modifictions that make Windows Explorer much friendlier. This includes simple user interface modifications and various registry modifications.

Author: Robert Clemenzi