Security Incidents mailing list archives

RE: Worms and CScript/WScript

From: "Michael Wright" <mwright () allcovered com>
Date: Tue, 21 May 2002 19:25:47 -0400

The NSA guide, titled: "E-mail Security in the Wake of Recent Malicious Code
Incidents" actually recommends disabling Windows Scripting Host by removing
both cscript.exe and wscript.exe.

I have added that to my logon script so that every time a user logs onto one
of my networks, WSH is disabled.  Add that to a managed anti-virus solution
that filters attachments by extension, and does real-time protection of both
servers and workstations and you have a very effective virus/worm/trojan
defense.

You can download the afore mentioned NSA guide directly here:
http://nsa2.www.conxion.com/emailexec/guides/eec-1.pdf
or browse through all the NSA guides at http://www.nsa.gov

-----Original Message-----
From: Blake Frantz [mailto:blake () mc net]
Sent: Tuesday, May 21, 2002 5:45 PM
To: incidents () securityfocus com
Subject: Worms and CScript/WScript

Hello,

A majority of the worms (even SQLsnake) that have been going around
lately take advantage of cscript and wscript.  What
ramifications would
be felt on vanilla installs of common services (MS SQL, Exchange, IIS,
etc.) if these two files were moved or deleted?  It seems
like a fairly
easy way to help mitigate the 'success' of Internet worms.  Any
thoughts?

Blake Frantz  A+, CNA, CCNA, MCSE
Network Security Analyst
mc.net
720 Industrial Drive #121
Cary, IL 60013
phn: (847)-594-5111 x5734
fax: (847)-639-0097
mailto:blake () mc net
http://www.mc.net

--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange scan on 1433 Pavel Lozhkin (May 21)
- Re: Strange scan on 1433 dr john halewood (May 21)
  - Re: Strange scan on 1433 Jason Robertson (May 21)
- RE: Strange scan on 1433 David LaPorte (May 21)
  - RE: Strange scan on 1433 Deus, Attonbitus (May 21)
  - RE: Strange scan on 1433 Blake Frantz (May 21)
    - Re: Strange scan on 1433 George Bakos (May 21)
    - Worms and CScript/WScript Blake Frantz (May 21)
    - Re: Worms and CScript/WScript Ryan Russell (May 21)
    - RE: Worms and CScript/WScript Michael Wright (May 21)
    - RE: Worms and CScript/WScript Nick FitzGerald (May 22)
    - RE: Worms and CScript/WScript Richard H. Cotterell (May 26)
    - RE: Worms and CScript/WScript Nick FitzGerald (May 27)
    - RE: Worms and CScript/WScript Richard H. Cotterell (May 28)
- RE: Strange scan on 1433 Ken Pfeil (May 21)
- RE: Strange scan on 1433 James (May 21)
  - Re: Strange scan on 1433 Johannes Ullrich (May 21)
- <Possible follow-ups>
- RE: Strange scan on 1433 Quarantine (May 21)
- RE: Strange scan on 1433 Dias Sgt Kristin F (May 21)