The KaZaA Virus... - P2P-Zone

spstn · 21-05-02, 02:46 PM

I posted this info previously in another thread. The original post belonged to BuzzB2K. So credits go to him.

" Changing the Default Action for VBS Scripts to Edit.

You can change the default action for .VBS, .VBE, .JS, .JSE and .WSH files. When installed, these extensions are configured to default to 'Open'. If this default action is changed to 'Edit', scripts will open in a text editor instead of executing, which effectively renders them harmless.

To change the default action for these three extensions:

1) Open up 'Windows Explorer'
2) Under the 'View' menu select 'Options…' or 'Folder Options…'
3) Single click on the 'File Types' tab
4) Scroll down the list until you find 'VBScript Script File'. Single click on it and click the 'Edit…' button
5) Where it says 'Actions' look for 'Edit'. Single click on it and then click the button that says 'Set Default'
6) Click the 'Close' button
7) Repeat steps 4-6 for 'VBScript Encoded Script File' (skip this step if it is not listed)
8) Repeat steps 4-6 for 'JScript Script File'
9) Repeat steps 4-6 for 'JScript Encoded Script File'
10) Repeat steps 4-6 for 'Windows Scripting Host Settings File'

Now VBS scripts, which is how these virii are spreading, will just open harmlessly in notepad. Problem solved.

After neutering the Script Files you can go to your shared folder and delete the little buggers!! "

Now me again: You can add as many file extensions as you need to feel secure, ie: like adding .scr to the list.
You can still use the "run" command in your "Start" menu to run any exe file or "shift-right click" to get the "open with" option in the explore context menu to open any other file after proper verification. Of course you can always open or play them from within a program or player.

I haven't run into this worm yet, but I've taken an extra couple of precautionary measures just in case:

1) I created this entry in my Host file "127.0.0.1 benjamin.xww.de" (without quotations). This way the rogue site can't be accessed because this is my computer IP and will time out for ever.

2) I created the folder Sys32 in %WinDir%\Temp\ , and changed its attributes to "read only". In theory this should interfere with the execution of the worm registry entries.

I'm not planning to test this, so if any of the most experienced users know if this can "fly" please fell free to expand on it.

21-05-02, 02:46 PM	#1
spstn No Nonsense Nonsense Join Date: May 2002 Location: Miami Posts: 382	Protect yourself I posted this info previously in another thread. The original post belonged to BuzzB2K. So credits go to him. " Changing the Default Action for VBS Scripts to Edit. You can change the default action for .VBS, .VBE, .JS, .JSE and .WSH files. When installed, these extensions are configured to default to 'Open'. If this default action is changed to 'Edit', scripts will open in a text editor instead of executing, which effectively renders them harmless. To change the default action for these three extensions: 1) Open up 'Windows Explorer' 2) Under the 'View' menu select 'Options…' or 'Folder Options…' 3) Single click on the 'File Types' tab 4) Scroll down the list until you find 'VBScript Script File'. Single click on it and click the 'Edit…' button 5) Where it says 'Actions' look for 'Edit'. Single click on it and then click the button that says 'Set Default' 6) Click the 'Close' button 7) Repeat steps 4-6 for 'VBScript Encoded Script File' (skip this step if it is not listed) 8) Repeat steps 4-6 for 'JScript Script File' 9) Repeat steps 4-6 for 'JScript Encoded Script File' 10) Repeat steps 4-6 for 'Windows Scripting Host Settings File' Now VBS scripts, which is how these virii are spreading, will just open harmlessly in notepad. Problem solved. After neutering the Script Files you can go to your shared folder and delete the little buggers!! " Now me again: You can add as many file extensions as you need to feel secure, ie: like adding .scr to the list. You can still use the "run" command in your "Start" menu to run any exe file or "shift-right click" to get the "open with" option in the explore context menu to open any other file after proper verification. Of course you can always open or play them from within a program or player. I haven't run into this worm yet, but I've taken an extra couple of precautionary measures just in case: 1) I created this entry in my Host file "127.0.0.1 benjamin.xww.de" (without quotations). This way the rogue site can't be accessed because this is my computer IP and will time out for ever. 2) I created the folder Sys32 in %WinDir%\Temp\ , and changed its attributes to "read only". In theory this should interfere with the execution of the worm registry entries. I'm not planning to test this, so if any of the most experienced users know if this can "fly" please fell free to expand on it.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode