RE: Can I delete Wscript.exe?

From: Matthew.van.Eerde@hbinc.com
Date: 10/14/02


From: Matthew.van.Eerde@hbinc.com
To: db@die-lounge.com, huberan@gmx.at, jtnim@hotmail.com, focus-ms@securityfocus.com
Date: Mon, 14 Oct 2002 13:25:25 -0700

WFP will pop up an alert if you try to delete/rename a dllcache'd file on
Windows 2000 Professional.

A workaround (my favorite) that I found posted somewhere was to do something
like this:

copy c:\winnt\system32\dllcache\notepad.exe
c:\winnt\system32\dllcache\wscript.exe
copy c:\winnt\system32\dllcache\notepad.exe
c:\winnt\system32\dllcache\cscript.exe
copy c:\winnt\system32\dllcache\notepad.exe c:\winnt\system32\wscript.exe
copy c:\winnt\system32\dllcache\notepad.exe c:\winnt\system32\cscript.exe

WFP is not intelligent enough to know when one protected file is overwritten
with a copy of another.

This way, even with the file associations still intact, your users are safe.
In fact, better than safe - now clicking on those .vbs attachments will pop
a lot of ugly-looking code up in a notepad window! That will give them a
scare, and they'll give you a call - which gives you a chance to find out
how and where .vbs files are getting in in the first place.

Notice that this sequence of commands should be rerun after every
application of a Windows service pack, or a patch that affects wscript.exe
or cscript.exe, etc.

I don't believe any legitimate uses for either wscript.exe or cscript.exe
exist other than an Administrator calling it directly from the command line.
I've had it disabled for months on about 60 user machines with no problems
(although I just found out about the notepad.exe trick today.)

> -----Original Message-----
> From: Dominick Baier [mailto:db@die-lounge.com]
> Sent: Monday, October 07, 2002 14:12
> To: 'Andreas Huber'; jtnim@hotmail.com; focus-ms@securityfocus.com
> Subject: AW: Can I delete Wscript.exe?
>
>
> Wscript gets replaced by windows file protection when you
> rename/delete
> it ... at least on server versions...
>
> you have to delete \winnt\system32\dllcache\wscript, too
>
> greetings
> dominick
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Andreas Huber [mailto:huberan@gmx.at]
> Gesendet: Montag, 7. Oktober 2002 19:52
> An: jtnim@hotmail.com; focus-ms@securityfocus.com
> Betreff: AW: Can I delete Wscript.exe?
>
>
> you could try to rename wscript.exe into wscript.exe.old
> If you loose any features, you know that wscript.exe is important for
> win2k. if not, your problem is solve.
>
> greets
> andreas
>
> -----Ursprüngliche Nachricht-----
> Von: jtnim@hotmail.com [mailto:jtnim@hotmail.com]
> Gesendet: Montag, 7. Oktober 2002 08:36
> An: focus-ms@securityfocus.com
> Betreff: Can I delete Wscript.exe?
>
>
>
>
> One way to guard against script viruses and worms is
> obviously to delete
> Wscript.exe entirely. What I'd like to know is how does this
> affect the
> system (W2k)? Do I loose features that I might need? Also, I'm not
> exactly sure whether IE and Outlook Express use Wscript.exe to run
> scripts, so any info on that would be appreciated. Good links will do!
>
> Thanks!
>
> -- Rubio
>
>
>