Results 1 to 5 of 5
  1. #1
    New Lounger
    Join Date
    Apr 2002
    Location
    Pennsylvania
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Email viruses a la GUNINSKI (All)

    My solution to the problem of embedded <class ...> tags in Office products raising havoc: I disable all scripting by renaming the file c:winntsystem32WScript.exe to WScriptGene.exe (the path is for WinNT or Win2000).

    Any file with my name in it is easily located to rename it back if I must use scripting for a few minutes. I document such moves in a file that I call "System modifications".

    My only caution is that when you install new software, it may add WScript.exe back into that directory.

    Simple. Draconian. Effective.

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Email viruses a la GUNINSKI (All)

    Apparently not all exploits use that .exe, or I have to restart my computer to make that effective (I did restart IE).

    The Guninski demo ran happily even though I renamed WScript.exe to WScriptblahblah.exe. The code it uses appears to use scripting that runs through the IE scripting engine; perhaps this is independent of WScript.exe? The attached sample demonstrates what I mean. Private message me for the password.

    Please see my post on the Outlook board for more information.
    Attached Files Attached Files

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Email viruses a la GUNINSKI (All)

    Or maybe my problem is that no matter how many times I try to rename it, IT KEEPS COMING BACK!!
    Attached Images Attached Images

  4. #4
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Email viruses a la GUNINSKI (All)

    you need to rename the deepest file first - probably in dllcache. see the notepad thread for more info.

  5. #5
    New Lounger
    Join Date
    Apr 2002
    Location
    Pennsylvania
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Email viruses a la GUNINSKI (All)

    Mary J is right about dllcache. It has a copy too, and is hit first if you don't delete it. I just plain forgot to say that.

    And shame on me for not specifing the environment in which I did my testing. It was last year after I was bitten by the ILOVEYOU virus. I run a rather Microsoft-phobic environment. I use Netscape, not IE, and I use GroupWise, not any Microsoft mailer programs. Still, script viruses are a problem in my environment too, because they use WScript.exe.

    It's not good news to learn that Word and Excel execute scripts without WScript.exe.

    That was my first post. Now I know enough to dot i's, cross t's. You folks are good.




    -----------
    "The last time I took advice, it only worked because I changed it."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •