Re: The Million Dollar Solution

[as () PSA AT (Alexander Sanda)]

At 20:33 05.05.2000 -0700, Matthew Harmon wrote:

> Everyone has been scrambling east and west, north and south trying to
> find the answer to these VBS viruses, the answer is not eMail
> filtering, it's not better firewalls, or failing members of the FBI
> community.
>
> It is a file called WScript.Exe
>
> A batch (.BAT) file with these two lines will deal with this problem:
>
> ren %SystemRoot%\system32\wscript.exe wscript.sav
> ren c:\windows\wscript.exe wscript.sav
>
> If you get rid of this engine, then all Visual Basic Scripts cannot be
> run.

This will only do 50% of the job. There is a 2nd version of the scripting
host with the name cscript.exe. This one normally deals with commandline
scripts (that is, scripts which don't use their own window but send their
output to a shell). CSCRIPT.EXE is also attached to .vbs, .vbe, .jse etc.
file types through the registry.

Oh, and when I tried to manually delete wscript.exe or cscript.exe under
Win2K, system file protection disagreed and restored the files
immediately. So I think the only way to get rid of WSH is to really
uninstall it - but see below.

Another MS screwup - in my opinion, the system file protection should not
revert actions which were done by a administrator.

Worse than that, under Win2K there is no way to uninstall the scripting
host. At least I didn't find an option for doing this. Under
ControlPanel->Add/rem programs->Add/Rem Windows Components, no option is
present for the scripting host. It seems that MS sees it as "part of the
operating system" :(

Is there any way to fool or disable the system file protection under Win2K?