This from Symantec on disabling vbs style viruses.
Bill Mahn
========================================
How to uninstall the Windows Scripting Host
Situation:
You want to know how to uninstall the Windows Scripting Host so that worms,
such as VBS.LoveLetter, cannot use it to spread infection on your computer.
Solution:
The Microsoft Windows Scripting Host enables you to run Visual Basic
Scripting and JScript within Windows. Most programs do not use this
scripting. Because several worms have made use of this scripting, which is
similar to a macro, you may want to remove it if it is not needed; this will
prevent the spread of infection by worms which make use of it.
NOTES:
The instructions in this document explain how to uninstall the Windows
Scripting Host. If you have programs that use the Scripting Host, and,
therefore, need to use it occasionally, you may want to be able to disable
or enable it as needed. The Symantec AntiVirus Research Center (SARC) has
developed a program that you can use to do this. There is no charge for this
program. To download it, click this link: How to disable or remove the
Windows Scripting Host.
These instructions are provided for your convenience. Symantec does not
provide warranty support for or assistance with Microsoft products. If you
would like assistance with this, Symantec now provides fee-based technical
support and assistance for a number of non-Symantec products, including
those from Microsoft. Symantec Multivendor Support is available by calling
(800) 745-6032. Otherwise, we suggest that you contact Microsoft for
assistance.
If you are using Microsoft Outlook Express, and you want to disable the
Scripting Host in this program only, then see the Microsoft Knowledge Base
Document, OLEXP: How to Disable Active Scripting in Outlook Express, Article
ID: Q192846
Remove from the Control Panel--Windows 98 users only
If you are using Windows 98, you can either use this method, or the method
described in the second section. Please follow these steps:
NOTE: This does not apply to Windows 98 Second Edition. If you are a Second
Edition user, you will have to use the method described in the second
section.
1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add/Remove Programs.
3. Click the Windows Setup tab.
4. Double-click Accessories.
5. Scroll down, if necessary, and locate the Windows Scripting Host entry.
If it is not in the Accessories list, then you will have to use the method
described in the next section. Cancel all dialog boxes, close the Control
Panel, and then skip to the next section.
If it is in the Accessories list, select it and note whether it is checked
or unchecked.
If it is not checked, it is not installed. Cancel all dialog boxes and close
the Control Panel.
If it is checked, uncheck it, click OK, and then click OK again. Close the
Control Panel.
Remove the file from the system--any version of Windows
With the exception of some versions of Windows 98, the Windows Scripting
Host can be installed on the computer, but not be displayed in the
Add/Remove Programs dialog box. For these, and all versions of Windows, you
can disable the Scripting Host by removing its executable file. Please
follow these steps to do this:
1. Click Start, point to Find, and then click Files or Folders.
2. Make sure that Look in is point to either your C drive or All Drives if
you have more than one.
3. In the Named box, type wscript.exe and then click Find Now.
4. Right-click the file that is found, and then do one of the following:
If you are sure that you will not need this, click Delete, and then click
Yes to confirm.
If you want to keep a copy of this file so that you can easily reinstall it
later:
1. Click Cut. (Do not click Copy.)
2. Close the Find Files window.
3. Double-click the My Computer icon on the Windows desktop.
4. Insert a blank, formatted floppy disk in the floppy disk drive.
5. Double-click the floppy disk drive icon--usually the A drive.
6. Click the File menu, and then click Paste.
5. (Optional). Because you have deleted or moved the Wscript.exe file, if
you ever do try to run a .vbs file, you will see a Program Not Found
message. This is, of course, expected, and you can just click Cancel. If you
want to prevent this, however, you will have to remove the file association:
1. Start Windows Explorer.
2. Click View, and then click Options or Folder Options.
3. Click the File Types tab.
4. In the Registered file types list box, scroll down to and select VBScript
Script File.
5. Click Remove and then click Yes to confirm.
6. Click OK and then close all dialog boxes.
----------------------------------------------------------------------------
---- Product(s): General, Virus Information Operating System(s): Windows 95, Windows NT 4.0, Windows 98, Windows 2000 Document ID: 2000050512031906 Date Created: 05/05/2000 Last Modified: 01/22/2001----- Original Message ----- From: "Ann Rathbun" <rathbun@sedona.net> To: "Recipients of ABRF List" <abrf@aecom.yu.edu> Cc: <Randy.Wilhelm@MKG.com> Sent: Tuesday, February 13, 2001 12:38 PM Subject: virus warning - AnnaKournikova
> > > Dear Folks, > I usually dislike getting the virus warning messages, however, since my > office computer got "bitten" yesterday with this one, let me pass on a > little additional info. [I'm sending this from my webmail account not my > Outlook email, so don't anyone worry that I've sent of a virus!] > > BTW - I was running up-to-date Norton AND did a second check on the file! > > Would suggest that everyone on a PC [don't know about Macs] check the > following: > Go to Control Panel, open up add/remove programs. > Select the Windows Setup tab [it may take a few seconds to open up the > window], > then select Accessories. > Scroll down to the Windows Scripting Host and make sure it is UNCHECKED!! > > Also good to make sure that Office users have the updated Security patches. > > I don't quite understand this - Norton web site only had the "AnnaK.." > listed as "discovered" on 2/12/01 [with the fix "pending" - oh joy!] and > McAfee said it was discovered around 8 or 9/00. Could be McAfee was > referring to its look a likes - ILOVEYOU or somesuch and the "kak" virus. > When I did a "reply" to the poor fellow who sent it to me [before I was > fully realized it was a virus!], I hit the send button and all of a sudden > emails piled up in my Out box to send to EVERYONE in my address book! > Thankfully, I snagged and deleted them before they went out. > > Ann Rathbun > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Randy <clip> > Message from PBC Peptide Info [info@pbcpeptide.com] describes email > containing virus. This has been verified by our IS folks. Our system has > been infected. > > The virus is self replicating and will distribute rapidly through your > system if infected. So rapidly, irridication is difficult - hard to stay > ahead of. > > If you see such an email containing the header: " Here you have, ;o) " > and an attachment do not open the attachment. Take heed. >
This archive was generated by hypermail 2b29 : Fri Feb 23 2001 - 13:03:34 EST