Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Worms and CScript/WScript

From: verbal () mrverbal com
Date: Tue, 21 May 2002 18:17:37 -0400
Sure you could, but if they get that far, you're in trouble as it is.
You could adjust the ntfs perms on the files listed below to
explicitly allow rights only to certain users; however, who knows
what ill effects that could have in future application
installation/use.

Ultimately, once they're in, they're in.  A person can't just execute
arbitrary code on a remote host without the availability of some
exploit on the perimeter.  Why not stop them there first?  (hardening
in the event of perimeter penetration is advised additionally as well)

Wscript.exe and Cscript.exe     
        The host.
Wshom.ocx
        The WSH Shell Object.
Scrrun.dll
        The Scripting Runtime- contains the FileSystemObject and the
powerful Dictionary Object. 
VBScript.dll
        Contains the Global Modules, Classes, and the Regular Expression
Object
Wshext.dll
        New with WSH 5.6, handles the new authenticity and certification
methods for scripts. 
Shdocvw.dll
        Contains numerous Shell Extensions that are accessible from WSH. 
JScript.dll
        This is the Microsoft port of JavaScript, originally built by
Netscape. With only a few exceptions it looks and behaves like
JavaScript.


-----Original Message-----
From: Blake Frantz [mailto:blake () mc net]
Sent: Tuesday, May 21, 2002 4:45 PM
To: incidents () securityfocus com
Subject: Worms and CScript/WScript

Hello,

A majority of the worms (even SQLsnake) that have been going around
lately take advantage of cscript and wscript.  What ramifications
would
be felt on vanilla installs of common services (MS SQL, Exchange, IIS,
etc.) if these two files were moved or deleted?  It seems like a
fairly
easy way to help mitigate the 'success' of Internet worms.  Any
thoughts?

Blake Frantz  A+, CNA, CCNA, MCSE
Network Security Analyst
mc.net
720 Industrial Drive #121
Cary, IL 60013
phn: (847)-594-5111 x5734
fax: (847)-639-0097
mailto:blake () mc net
http://www.mc.net



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: