Kernal32
join:2001-03-27
11111
|  Virus/VBS
ok..maybe somebody can answer this one..
viruses that arrive via e-mail with a .vbs extension,
like puppy.jpg.vbs for example ..would that automaticlly execute just by opening the e-mail..or using the preview pane in OE or using the preview pane in OE while browsing usenet?
i was under the impression..you'd have to actually open the attachment and double click it in order to become infected.
--
Dime quien es tu junta y te dire si haces yunta |
|
graffixx
Premium,ExMod 2001-03
join:2000-07-27
San Gabriel, CA
clubs:
| said by Kernal32:
i was under the impression..you'd have to actually open the attachment and double click it in order to become infected.
Yes, that is true. Although someone plz correct me if I am wrong. I'm using Outlook and I get them once in a full moon. I'm using preview also, so it shows the attachment, but I don't click on the attachment. |
|
Rxdoxx
Premium,Mod
join:2000-11-03
Middle River, MD
clubs:
 ·Verizon FIOS
 ·Comcast
Host:
Software
Washington & Balti..
| reply to Kernal32
R2 posted an intriging possibility in this thread »WSH ?? the program link is posted earlier in the thread. Have gotten the program and set it up, tested it with my freemem.vbs button that I have and it jumped right on it, and allowed me to say that one is safe. Hope I never really need it but it looks like another nice level of protection for us 
--
Voted lately? Vote DSLReports UP |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
|  reply to Kernal32
There are some viruses that can run when a email simply arrives on your computer. You do NOT have to open or preview the message for the code to run. HOWEVER, I do NOT think that *.vbs files are the basis of these viruses.
I am fairly sure that *.vbs viruses require you to double-click on them to run. HOWEVER, I think that .vbs is one of the extensions that Windows HIDES unless you tell it not to. So, I can send you a file entitled picture.jpg.vbs and you would see it as "picture.jpg". Since every one knows that jpg files don't contain viruses, you might double-click that to see the picture and BAM! you have been stung by the virus.
There are two free levels of defense. The newest version of ZoneAlarm (2.6.88) has MailSafe with an extended list of files that it will quarantine before it runs them. All of the Window Scripting Host extensions are included, plus several more potentially dangerous extensions.
ScriptSentry will catch all the WSH files that might get on to your computer by other routes (floppy disks, downloads). Using both is your best defense. |
|
Bobcat
Premium
join:2001-02-04
Bedminster, NJ | Why not uninstall Windows Scripting Host? That's what I did. Most users don't even need the silly thing.
--
Earthlink/Mindspring/Covad DSL 1.5M/384k; Avg speed 1265k/325k |
|
Kernal32
join:2001-03-27
11111
|  thanks to everybody for the info.
I did install scriptsentry...and checked to make sure my virus scanner scans e-mail attachments.
I was going to just uninstall wsh..but several places like zdnet say it could possibly cause problems..i was kinda scared to remove such an integral part of windows.
I don't need any crashes!! But you all had great info/links and advice i appreciate it Greatly!!:)
--
Dime quien es tu junta y te dire si haces yunta |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs: | reply to Bobcat
Some people say to just delete WSH -- but then you never have the option to use it. It is akin to deleting Word because you might get a Word Macro virus. There are good was to control WSH and still have it available if you want it... |
|
RadRick
join:2001-01-31
Pflugerville, TX
| reply to Kernal32
Ya, I just have a the email virus scanner strip and quarantine all attachments with the .VBS extension on the inbound IMS scan before they are even deposited in the email private information store.
but, I guess everyone doesn't have their own exchange server. 
laterz,
rick |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| reply to Kernal32
Well, as others mentioned you really don't need your own Exchange server to do that. All you need is free ZA.
As for the extensions, it is a good idea to set Windows Explorer to show all extensions. Go to view --> options in Explorer and make sure "Hide file extension for known file types" is unchecked otherwise you won't be able to see the main extension of files such as file.jpg.exe or file.jpg.vbs etc... The reason is that Windows Explorer considers the first three characters after the dot to be the extension and it will not show the rest.
However even if the extension is hidden windows will show the icon that's related to the main extension. This means that file.txt.vbs will not show you the Notepad or Wordpad icon, You'll see a VBS icon for that file and that should give you the hint. It's a good practice to save all attachments to the desktop before attempting to open them. This way the icon will be much larger and easier to notice.
--
You can catch the Devil, but you can't hold him long. |
|
Enigmarator
@61.12.x.x
| reply to Kernal32
Ok, here are two scenarios, the file can be an attachment yes - meaning that the user will have to double click the attachment for the file to execute. The second one is that the e-mail can FORCE the attachment to execute (if you have preview pane on)
There is a 'html generator' by the name of GodWill which can alter/create html pages so that it can forcefully execute the attachment.
Now with regards to the first scenario, I recommand that you download WormGuard from »wormguard.diamondcs.com.au - that will stop any files that have hostile code inside (such as vbs) and also warn if the file has multiple extensions.
Here's something for you folks, go to explorer, and create a file in notepad called testing.txt
Now rename the file so its 'testing.txt.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}'
Notice that the '{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}' extension dissapears when you press enter? You are now left with 'testing.txt' however the file doesn't open in notepad. You have just created an HTA file which can execute hostile code when ran.
You can do this with any other CLSID- just look for them in your registry - there's another one for PIF files as well.
Hidden extension - another Guninski vulnerability. |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| That's a very good point that was recently discussed in another thread. The extension you provided however was not discussed and is a very good point. Extensions of that type will not show at all even if you specify Explorer to show all extensions.
Thumbs up for you and you should consider registering and contributing more often.
--
You can catch the Devil, but you can't hold him long. |
|
RadRick
join:2001-01-31
Pflugerville, TX
| reply to Wildcatboy
said by Wildcatboy:
Well, as others mentioned you really don't need your own Exchange server to do that. All you need is free ZA.
Ya, but that's letting the Virus actually get to the inbox to be opened. I prefer it never reach the recipient.
Za will do in a pinch if that's all you got I guess.... neener neener ...:) I'm kidding
rick |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to Wildcatboy
WCB, I agree with all you stated two posts above -- I have posted that same information in the past. Yes, you should make sure *all* file extensions are shown -- as much as possible (some are STILL excluded e.g., .lnk). Also, while you are in Folder Options | View, make sure you check "Display the full path in title" and "Show all files".
You also need to make sure that your Email program is set up warn you about directly running attachments. An earlier Outlook Patch (not the recent horrible one) did this for many attachments. It was entitled "Outlook98 Attachment Security Patch" (O98Attch.exe) and I think it is still available from MS. [I have it -- if someone wants it, IM me.]
Alternatively, I *think* you can manually set these for EACH file type in the Folder Options | File Types | Edit | "Confirm open after download" -- but that is quite labor intensive.
The icon issue is correct -- as long as you *download* the file to your computer first. This is ALWAYS the correct way to treat attachments. I then personally run a Virus Scan on any attachment before I open it.
Not all email programs show attachment icons -- some just show the name of the attachment. And many users simply choose to open attachments from within their email client -- wrong! Additionally, I guess it could be possible for a virus to alter the DefaultIcon entry in HKCR -- all that would take would be running a .reg file first. So I am not 100% sure I would trust the icon.
Regardless, having ZA MailSafe and Jason's Script Sentry (or other similar programs) should provide a fairly good level of security. Both of these prevent .reg files and .vbs files from running directly -- you are given ample warning.
Now to test to see if ScriptSentry catches the CLSID trick -- I DOUBT it, but is is worth a try. If the CLSID can be used this way, then these 'security' programs should be altered to block this type of behavior as well!
[text was edited by author 2001-05-10 10:48:24] |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to Kernal32
Good news. I created a bogus file entitled 'testing.txt.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}'. When I tried to run it, ScriptSentry intercepted it and prevented it from running. Next I will email it to myself.
OK, ZA MailSafe did not catch the CSLID as being something dangerous. HOWEVER, the funny extension (the CSLID) DID appear in the attachment's name -- thereby informing me that this is not simply a .txt file. And, of course, the ICON is the DefaultIcon for Unknown file types -- the white paper with the Window symbol on it. So it is clearly not a simple .txt file.
[text was edited by author 2001-05-10 10:46:36] |
|
Bobcat
Premium
join:2001-02-04
Bedminster, NJ
 ·Verizon Online DSL
| What about setting Outlook Express to use the IE "Restricted Sites" zone for email messages? I believe that disables scripts that arrive via email. (I'm not 100% sure.)
--
Earthlink/Mindspring/Covad DSL 1.5M/384k; Avg speed 1265k/325k |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| I think that only protects you from running script from within HTML email -- not from an attachment. I have this for Outlook, but I can still get .vbs attachments.
I found the settings for the Outlook98 Email Attachment Security. It is in Tools | Options | Security Tab | Secure Content | Attachment Security. I do not think this option exists until you run the patch for Outlook98 that I described above. |
|
ws
Premium
join:2000-01-02
I'm here
clubs: | reply to Kernal32
Removed any file associate with *.vbs in your file / folder option.
That's what I did on all computers in my office.
--
|
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
|  reply to Kernal32
Removing the association for *.vbs is not the answer. This only disables ONE of the WSH extensions. You need to do that for ALL WSH extensions -- plus for scrap files, REG files, HTA files, etc -- and also the CSLID's!! (as above)
Instead of going to that much trouble, get ZoneAlarm and ScriptSentry -- it is much easier. |
|
DelaWhere_Steve
join:2001-03-21
| reply to ws
said by FatFree:
Removed any file associate with *.vbs in your file / folder option.
That's what I did on all computers in my office.
This worked for me. Good suggestion FF.
--
"The end cannot justify the means, for the simple and obvious reason that the means employed determine the nature of the ends produced."
Aldous Huxley 1894-1963 |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
|  Great, so I will just send my virus with a .vbe extension, and oops, you've been had. You guys are missing the point and are deluding yourselves... but that is your prerogative.
[text was edited by author 2001-05-10 14:33:52] |
|
