SYNOPSIS:

 The emergence of the "ILOVEYOU" worm (also known as "Love bug") and, as of this writing, four additional variations of the exploit and likelihood of many more advanced exploits of dangerous security flaws in Microsoft's visual basic script hosting facilities, has resulted in our extreme determination that the "VBS Hosting component" of Internet Explorer presents a grave danger to all computer users which cannot be remediated and must be removed. In our experience in designing products to protect users of the Internet Explorer browser, we have seen very few cases where the VBS Hosting facilities of Internet Explorer have been used for anything other than the spreading of email worms such as Pretty Park, Melissa and similar worms which utilize the ability of this facility, designed for web enhancement, to gain full and complete control of any computer it is installed on. This particular scripting worm is a watershed event.

 In our expert opinion, this facility provided by Microsoft constitutes too extreme a danger to remain on computers until Microsoft is encouraged to either fix or remove this functionality from Internet Explorer and the Windows operating system which is a direct result of "browser/OS integration." VBS scripts and ActiveX have been a longstanding security flaw in Internet Explorer, resulting in nearly weekly reports of new "security holes" which cause consumers "significant harm." While "ActiveX" is just as dangerous as "VBS scripting," no warning is provided by Microsoft prior to just going ahead and running these dangerous scripts and no opportunity is provided to attempt to stop VBS scripting from doing its damage as is done with some ActiveX controls. No "hooks" to prevent it is provided either.

 The Microsoft "VBS Hosting" facilities provide web sites with the same capabilities as remote control trojan horses without the need to implant an executable "trojan horse" program. Any user with minimum skills can compose a simple script which can be embedded in a web page or in email which can wreak havoc on any computer which visits a web site or opens email containing VBS script within the content of the email or site, using the operating system itself as a weapon against the user and often whole networks to which it is connected. The "ILOVEYOU" worm contains code that has been seen before in "Melissa" and in "PrettyPark" so this isn't a new problem, merely another variation of a longstanding exploit. The vast majority of "internet worms" which have caused untold damage to millions of computers can only function with the use of these scripting facilities.

 If "Windows Scripting Host" is removed, any such email worms which utilize Internet Explorer, Microsoft Outlook and other email programs which utilize the Microsoft VBS components can no longer pose a risk. While Microsoft's Outlook email programs are the primary "infection vector," other email software from other vendors is at risk as well. If your email program allows you to view HTML code or inline attachments in the email program without having to open them separately, then you're at risk because these other email programs use Microsoft's code. The vast majority of recent email programs do. Many older versions do not. If a "preview" facility to view attachments or pictures is included in your email software, these scripts can be run even if you didn't open the email. This vulnerability extends to the windows file explorer as well owing to "browser/OS integration" which seeps into every corner of the Windows operating system.

 In our filing with the Federal Trade Commission in 1997, we warned of this potential which is being routinely exploited precisely as we had predicted. Users of our IEClean product can configure IEClean to shut down these facilities by selecting "Refuse java and javascript" and "Refuse ActiveX" in the OPTIONS tab of IEClean and do not have to take additional steps as IEClean already disables these functions when this selection is made by the user. Those who do not possess our IEClean product are STRONGLY urged to remove the Microsoft Visual Basic Scripting (VBS) Hosting facilities as NO antivirus program will be able to protect you given the speed with which VBS scripting worms can be spread and because antivirus software depends on matching "known patterns" against new threats, permitting new "viruses" to elude detection until they become "known."

 The recent outbreak of "ILOVEYOU" is just another example of how VBS Hosting exploits escape antivirus protection until after the fact. This security problem has earned our "highest risk" level of concern. Even our BOClean product is unable to protect against this because the "trojan" is the Windows operating system itself as "integrated" by this dangerous facility and because the worm is actually a SCRIPT and not an executable program. For your safety, VBS scripting must be purged from Windows itself since the operating system itself is the "infection" as configured by Microsoft who placed this on your system rather than "hackers." In other words, the "infection" was placed by a "trusted source with a certificate from Verisign" and therefore safe. VBS Hosting by deference declared the worms as "trusted sources" and allowed them to run.

 We have studied the "ILOVEYOU" script extensively and tested variations of it in our laboratories. In our testing, we were able to render several hard drives unrepairable and even wrote one that overwrote Windows with another operating system. A combination of this and for example Melissa or Pretty Park's source code absent any "creativity" would result in extreme damage. Current antivirus technology is reactive, not proactive and cannot be counted on to protect against future variations on these exploits of VBS Scripting. This is the reason for such a drastic recommendation on our part. When we first became aware of this worm on Thursday, we examined it planning to add it to our BOClean product until we realized the futility of doing so. Removal of the scripting host is the only certain method of protection because the scripting host itself is the problem.

MANUAL REMOVAL OF VISUAL BASIC SCRIPTING HOST:

 In most cases, the VBS Hosting facility can be removed through the use of the Control Panel on the start button. In our sample testing of our 138 "lab rat" machines however, 27 of the machines did NOT present VBS Hosting as a removable option in the control panel though the host WAS installed. Therefore the removal instructions below will include instructions for removal by both the control panel as well as a MANUAL removal process in the event that the control panel does not show "Windows scripting host" as a removable option.

 To remove VBS script hosting from the control panel, please follow the following instructions:

 1. Click on the start button, select SETTINGS.



 2. From the listing which appears, select CONTROL PANEL.



 3. Select "Add/remove programs" or "Add/remove software."



 4. A box will appear. Click on the "Windows SETUP" tab.



 5. When the list appears, click once on "Accessories" to highlight it.



 6. Click on the "Details" button down below.



 7. Look for "Windows scripting host" among the entries.



 8. If the box next to the entry is checked, UNCHECK it.



 9. Click on OK to remove the "VBS Hosting" facilities.



10. Windows will no longer respond to dangerous script

    attachments in email or from websites if you follow 

    our advice here and remove VBS Scripting. Now the 

    only risks you face are attachments containing executable

    programs. Our BOClean product protects against these.

 1. Run the windows File explorer. Depending on the version of

    Windows you're running, you may or may not be able to see

    all files in the \windows and \windows\system folders. If

    you have difficulty in seeing ALL files, (including hidden

    and system files) Please contact MICROSOFT for support in

    how to make hidden or system files visible. We cannot

    provide authorized support on behalf of Microsoft.



 2. Go to the WINDOWS folder on your hard disk (usually on the

    C: drive).



 3. Remove the following files if found. If the files are NOT

    found, it might be because your windows file explorer is

    configured to NOT show "hidden" or "system" files. You

    need to configure your file explorer to "show ALL files."

    If you need assistance in doing this, contact Microsoft.



    In the \WINDOWS folder:



     WSCRIPT.EXE

     CSCRIPT.EXE (this file may not exist on all machines)



 4. Now move down to the \Windows\SYSTEM folder.



 5. Remove the following files if found:



    In the \WINDOWS\SYSTEM folder:



     WSHEXT.DLL

     VBSCRIPT.DLL

     WSHOM.OCX

     SCRRUN.DLL



 6. Removal of some of these files may result in nonfunctionality 

    of other scripts in MS Office products when scripts are posted 

    to websites. Our own testing did not encounter any problems.  

    We're certain that only a few of the above captioned files are 

    the actual culprits, however Microsoft does NOT disclose details

    of their system to outside companies and thus the brute force 

    method is strongly encouraged in the absence of useful 

    documentation from Microsoft. All of the above files are part of

    the VBS Scripting subsystem and therefore should be removed.

COPYRIGHTED MATERIAL:

Copyright (c) 2000 by Privacy Software Corporation.

Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.

Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.

Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com, email to technology@privsoft.com. Copies of the "ILOVEYOU" distribution as captured by Privacy Software Corporation will only be provided to recognized security interests and responsible, recognized members of the press with the technical capability to conduct independent research on this VBS worm facilitator or in the alternative, we will provide the URL where the programs can be obtained independently. A written request must be sent to Privacy Software Corporation in order for us to cooperate. Copies will NOT be provided by us to any other parties. Privacy Software Corporation reserves the right to refuse transmission without further explanation. Under the provisions of Privacy Software Corporation's customer and website privacy policies, we cannot divulge email from our customers regarding their experiences nor can we divulge their identities under any circumstances.



TOP