VBScript Viruses

In 2000, many new viruses emerged as scripts written in VBScript; the most famous was the VBS.LoveLetter virus. Replication of these viruses resulted mostly from unknowing users executing the virus by double-clicking infected files. Most users don't need to run such scripts, so one way to safeguard against viruses is to remove the ability to execute the scripts by eliminating the file association for VBScript (.vbs) files from users' computers. Actually, few users need to run several other executable file types, including VBScript Encoded (.vbe) files, JScript (.js) files, JScript Encoded (.jse) files, and Shell Scrap (.shs) files. However, although removing the file association will prevent double-click execution, users might be confused when they're prompted to select the program they want the system to use to run the file. A better solution is to modify file extensions so that double-clicking results in an explanatory message.

Listing 1 shows a registry file that implements this solution. This script associates .vbs, .vbe, .js, .jse, .and .shs with a file type called PossibleVirus and creates new file extensions: .vbs!, .vbe!, .js!, .jse!, and .shs!. The script associates the new file extensions with the original file types. By default, the PossibleVirus file type causes the system to open Notepad to a text file on the file server (i.e., VirusWarning.txt in Listing 1). Listing 2 shows an example text file. Right-clicking one of the new file types lets users open the file in Notepad or print the file. These options let knowledgeable users and support technicians analyze the file without spreading a virus.

In Listing 1, modify the line that lists VirusWarning.txt; replace Server and Share with the name of the server and share on which you store VirusWarning.txt. Because of the way regedit works, you must leave double backslashes in Listing 1. Save the script as VirExt.Reg, and double-click the file. When prompted about whether you want to add the information to the registry, click Yes. Save Listing 2 as a text file named VirusWarning.txt to the location you specified in Listing 1.

Then, when the Help desk gets a call from a user who received the warning message, the Help desk examines the file. If it's virus-free and the user needs to access it, the Help desk renames the file by adding an exclamation point to the end of the file extension. Then, the user can execute the file by double-clicking it.

—Chris Taylor
[email protected]