Site icon Ryadel

Disable Windows Script Host (WSH) to block .VBS malware

CryptoLocker, Locky e altri Ransomware: come eliminarli dal sistema e recuperare i file infetti senza pagare il riscatto

Acces to data locked in a virtual world network.

Windows Script Host (or WSH) (also known as Windows Scripting Host) is a scripting language shipped with all major Windows and Windows Server distributions since Windows 98. Scripts made with WSH (which usually have VBS extension, since they are primarily written in VBScript) are usually more powerful and versatile than batch files (.BAT extension) and, for a certain period, they have been used within most software installation processes to carry out various system configuration activities. WSH is a language-independent system, as it allows you to write code using different script engines including VBScript (default), JavaScript, Perl and more.

Unfortunately, the great potential and versatility of the Windows Script Host eventually led most hackers and black-hat developers to use it to develop malicious script-based computer viruses and malware. A WSH script can automate almost any operation normally performed by Windows and can be launched with a single click, thus making it the perfect tool to be used in the e-mail spamming / e-mail phishing campaigns, where multiple fake invoices are sent to a wide amount of users  hoping that some of them would "double click" on them, thus activating the malware. For this reason, the mere presence of a .VBS file directly attached to an e-mail or "hidden" in a .ZIP archive should alarm the user and block any impulse to open it - or, better said, to have it run against your system.

The good practice of never opening e-mail attachments with unknown or potentially dangerous file extensions is well-known among IT experts since year, and - also as a result of the threat due to the widespread spread of Ransomware - it finally begins to spread even among less experienced users: it is no coincidence that paying close attention to attachments received via e-mail (especially "invoices" and administrative / accounting documents) is one of the main tricks recommended by all experts and computer security sites (we have talked about them here).

Despite this, unfortunately there are still many users who, either because of their habit of clicking or distraction, continue to make mistakes of this type, which have the unfortunate result of causing execution of VBS scripts on your machine. The fact that it is not an EXE file should not be misleading: it is, as mentioned, scripts that take advantage of an extremely powerful and therefore potentially very dangerous Windows feature, which deserves the maximum attention in terms of prevention - and, even more so, in the unlikely scenario of an erroneous execution.

How to prevent VBS files from running

Given the above picture, the system administrator can definitely consider disabling the Windows Script Host feature on all client and / or server PCs for security reasons: this is certainly a good practice especially if this language is not used intensively , which is true in most cases. The blocking of the WSH function will prevent the execution of files with .VBS extension, which will then become "harmless" text files on all PCs subjected to this treatment.

Here are the steps to be taken to disable the Windows Script Host (WSH) functionality for the current user (step 2-3) and / or for all users (steps 4-5):

  1. Press the WINDOWS + R keys, then type regedit to open the system registry in edit mode.
  2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\
  3. Create (if it doesn't exist already) a new REG_DWORD key, call it Enabled and assign a value of 0 (zero) to it.
  4. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\
  5. Create (if it doesn't exist already) a new REG_DWORD key, call it Enabled and assign a value of 0 (zero) to it.

The VBS execution block should now be effective: in order to test it, create a test.vbs file on the desktop and try to run it. If everything has been done correctly, you should see the following warning message appear in a popup window:

Windows Script Host access is disabled on this machine. Contact your administrator for details.

Disable Windows Script Host (WSH) to block .VBS malware

Needless to say, to bring back such functionality you just need to delete the Enabled registry key (or change its value to 1).

What to do if a harmful .VBS file is executed

In the event of an "unexpected" execution of a potentially harmful .VBS file it is certainly advisable to carry out the following precautions:

  • Make a copy of the VBS file (without executing it) and scan it online with a tool like VirusTotal: this will allow you to identify the threat, a fundamental prerequisite for any subsequent "erase" or "cleaning" strategy. Needless to say, take special care not to execute that file while handling it! To lower the risk - for you and other users - we strongly recommend renaming it with a harmless extension (eg .TXT or .BAK).
  • Perform a system scan with an available AntiVirus tool (Bitdefender, Kaspersky, Avira, Avast, etc.). If you do not have paid versions or active subscriptions, you can download and install one of the many free versions made available by the developers of the aforementioned products. Just be sure to download the executables only from the official sites and update the antivirus database to the latest version before starting the scan.
  • Perform an additional system scan with the Trend Micro Anti-Threat Toolkit offline installer version (32bit or 64bit, depending on your system CPU architecture). This is the software that gave us best results for scanning and removing the most dangerous malware (rootkits, ransomware) distributed through .VBS scripts.

In addition to performing the above-mentioned countermeasures, it is advisable to take a general look at the system to identify suspicious files and/or potential threats, including: files with strange or wrong extensions, unknown text files, performance drops, application crashes, and anything else that could unveil ransomware activities being in progress. We also advise you to read the following posts and perform the suggested best practices:

Conclusion

That's it for now: given the widespread distribution of VBS viruses and malwares attached to e-mails throughout the whole Europe, we can only recommend to preventively disable WSH to all system administrators, unless explicitly required by specific scenarios.

 

Exit mobile version