Receive Exchange Messaging Outlook in your Inbox
Subscribe to EMO

Have a question?
Visit our forum

Windows Script Host and Outlook Virus Propagation



Please note: This page references older, outdated technology and is no longer maintained. As a result, links may point to documents no longer available or redirect to articles referencing newer versions. We've left it published for historical reasons and in the hope that it will benefit the few sites stilling using the older technology.


Windows Script Host (WSH) is a feature that allows you to create and run powerful scripts (similar to the DOS batch files, but better).

The destructive VBS/LoveLetter (aka ILOVEYOU) virus used Outlook messages to deliver a VBScript .vbs file payload. Not opening the file attachment is the most effective way to avoid this type of virus. However, you may also want to either disable Windows Script Host or render it incapable of automatically executing VBS files. Under Windows NT and 2000, you may not have permission to make these changes; see your administrator.

 

Disabling WSH | Changing the Default Action | Tools | More Information

Disabling WSH

In Windows 98, you can disable Windows Script Host by removing the component through Control Panel | Add/Remove Programs. Look under Windows Setup, under Accessories.

In later Windows versions, WSH is integrated into the operating system and does not appear as a removable component.

Changing the Default Action

If you want to retain the ability to run scripts when necessary, but avoid running them automatically, a good strategy is to change the default action for scripts so that they open in Notepad when you double-click them, rather than executing as scripts. Our thanks to John Halsey for this suggestion. Follow these step-by-step instructions: 

  1. In My Computer or in any Windows Explorer window, choose View | Options, then switch to the File Types tab. 
  2. Select the entry for VBScript Script File, which uses the extension VBS, and then click Edit (Advanced in Windows 2000).
  3. On the Edit File Type dialog box, under Actions, select Edit, and then click Set Default
  4. Make sure the boxes for Confirm Open After Download and Always show extension are checked. (These offer additional protection. The VBS/LoveLetter virus masqueraded as a text file on systems where extensions were not displayed by using the file name LOVE-LETTER-FOR-YOU.TXT.vbs.)
  5. Click OK to return to the File Types tab.
  6. Repeat Steps 2-5 for these other scripting file types, if you find them in the Registered file types list: 
  7. JScript Script File (extension JS)
  8. JScript Encoded Script File (JSE)
  9. VBScript Encoded Script File (VBE)
  10. Windows Script File (WSF)
  11. Click OK to save your changes. 

After you change the file type associations, double-clicking one of these files or opening it from inside an Outlook message will display the file in Notepad. When you need to run one of these scripts, you can right-click it and choose Open from the popup menu. 

For more information, see:

  • Information on Preventing Certain Types of Software from Running Automatically
  • Tools

    A variety of applications have emerged in the wake of VBS/Loveletter to scan for malicious script content as scripts are executing. We are not tracking these general applications, which you can find at your favorite Windows shareware download site. 

    These are Outlook-specific tools:

    ScriptCheck Outlook 2000 COM addin that notifies users of script file attachments in the Inbox

    More Information

    Also see:
  • Protecting Microsoft Outlook against Viruses
  • This page is printer friendly
    
    Copyright Slipstick Systems. All rights reserved.
    Send comments using our Feedback page

    Back to Top