When I arrived at work on the morning of May 4, the VBS/LoveLetter virus warnings were already spreading from overseas to local mailboxes. Also waiting in my inbox was a sanitized version of the virus that the corporate antivirus software had caught. A quick analysis of the situation led me to the conclusion that proper systems configuration would have prevented this outbreak.
This viral attack closely follows the publication of my article "A Viral Survival Checklist" (May 2000). The irony is that this type of attack isn’t new; It has been exploited in other viruses. The exploitation relies on a flaw in the way that Windows displays .vbs files. For example, the VBS/Fool virus sent a VBScript file called mypicture.bmp.vbs, which appeared as mypicture.bmp to the recipient. The recipient then assumed that the file was a bitmap graphic and not executable code. This type of exploitation is known as social engineering—that is, the virus author attempts to gain trust by leveraging what is supposed to be a technological feature. As a matter of policy, most security experts choose not to warn of specific attacks or exploits because those warnings can instead educate those who might initiate an attack.
Some of the potential for people being fooled by viruses results from the default Windows configuration. The default setting for Windows Explorer is Hide file extensions for known file types, as Screen 1 shows. As a result, filename.txt.vbs appears as filename.txt. As always, until you fix the underlying problem, you’ll be vulnerable to the first attack. I recommend virus scanning software as a viral survival step, but this software can’t prevent the first outbreak until it knows the viral signature and places it in the scanning database.
Let’s focus on how to resolve the source of the problem. These types of viruses exploit two security holes:
- The way in which Outlook handles attachments
- The default file association settings in Windows
Outlook provides attachment security settings in the Options dialog box, which Screen 2 shows (access the Options dialog box from the File menu). Click Attachment Security to view the recommended Outlook attachment security settings, which Screen 3 shows. When you set attachment security to None, scripts automatically execute when you open the attachment, potentially launching a viral attack. By setting attachment security to High, you instead receive a warning and must save the file to disk. If you've installed desktop antivirus software and it's up-to-date, saving the file will catch a known virus.
Next, let’s address the default file association settings in Windows. Windows associates .vbs files with the Windows Script Host (WSH) executable wscript.exe. To prevent .vbs files from executing by default, open the Windows Explorer Folder Options dialog box, which Screen 4 shows, and click the File Types tab. Scroll down to the extension for .vbs in the Registered file types list. Click Advanced to edit the actions associated with this extension. Screen 5 shows the Default settings for the .vbs file extension. Notice two things here: First, the Always show extension check box is clear, and second, the action is Open by default. On my system, I’ve modified these settings by selecting the Always show extension check box. I’ve also changed the default action to Edit by selecting that action from the list and clicking Set Default. Because the default action now launches Notepad, I must right-click the .vbs file and choose Open to run the file.
I’ve made the same changes for the file extensions that Table 1 lists. You can export these changes from the Registry (in regedt32, select the key, then choose File, Save As) and distribute these settings in the form of a .reg file. Windows clients can double-click the .reg file to load the settings automatically and modify the following keys. Here’s a list of a .reg file’s (virusfix.reg) contents that you can import into the Registry to change the default action for active scripts to Edit. Create the .reg file by typing the following text into Notepad. Save the file as virusfix.reg, and run regedit /s virusfix.reg (the /s parameter tells regedit to accept the changes in Silent mode).
\[HKEY_CLASSES_ROOT\VBSFile\Shell\] @="Edit" \[HKEY_CLASSES_ROOT\VBEFile\Shell\] @="Edit" \[HKEY_CLASSES_ROOT\JSFile\Shell\] @="Edit" \[HKEY_CLASSES_ROOT\JSEFile\Shell\] @="Edit" \[HKEY_CLASSES_ROOT\WSFFile\Shell\] @="Edit" \[HKEY_CLASSES_ROOT\WSHFile\Shell\] @="Edit"
After you enter the settings in Windows Explorer or import the .reg file, the entries in these Registry keys will have Edit as the value data for the (Default) value name in the Shell key.
If the first people who received this virus had had their default .vbs settings set to Edit, the virus wouldn’t have propagated. A properly configured system can assist a properly educated workforce in preventing future exploitation.