Symantec

Symantec Security Response
http://securityresponse.symantec.com

How to disable or remove the Windows Scripting Host


Last Updated on: April 25, 2005 12:46:50 PM CDT
 

How can worms such as VBS.LoveLetter.A spread so fast and have the potential to cause so much damage? If you have been following these virus outbreaks, you may wonder how this can happen and what you can do to protect yourself. VBS.LoveLetter.A, VBS.NewLove.A, and other viruses and worms use the VBScript computer language to spread and damage infected computers.
VBScript and VBS files
VBScript is a scripting language that allows developers to create a list of commands that can be executed without user interaction. As with any scripting language, it is frequently used to automate actions. Unfortunately, virus writers can also take advantage of its capabilities to infect computers and cause extensive damage.

VBScript files are nothing more than plain text files with a .vbs extension, and they can be edited using any text editor, such as Notepad. They contain a set of instructions that are run when a user executes the file. For example, you can create a .vbs file that reads a list of names for shared folders on your local network and maps a network drive to each name. Almost any action that you can perform while sitting at your computer can be automated by one of these scripts.

What is the Windows Scripting Host?
The Windows Scripting Host (WSH) is a feature of Microsoft Windows operating systems. It enables .vbs files to run in Windows 95, 98, NT 4.0, and Windows 2000. In the case of the VBS.LoveLetter.A and VBS.NewLove.A worms, it enabled the virus writer to automate actions that ran a direct script execution without end-user intervention.

The WSH enables users to automate tasks in Windows by providing access to the Windows shell, file system, registry, and more. The WSH is accessible to anyone who can learn to write the relatively simple scripting code. Scripts can be run directly from the desktop by clicking on a script file from within a program, such as an email program, or from the command console.

What can you do to protect yourself?

Use Script Blocking
If you are a home or small business customer, you should be running Norton AntiVirus 2001 or later. Both programs can be configured to detect VBScripts when they are run, alert you to ones that are unknown or possibly malicious, and block them if necessary.

  • If you are using Norton AntiVirus 2001, a free program update that includes Script Blocking is available. Run LiveUpdate to obtain this.
  • If you are using Norton AntiVirus 2002 or later, all of which include Script Blocking, make sure that Script Blocking is enabled (the default).


Disable or uninstall the Windows Scripting Host
One preventive measure that you can take to protect yourself from viruses that come as .vbs attachments is to disable or uninstall the Windows Scripting Host. Because Windows Scripting Host is an optional part of Windows, it can be safely removed from your computer. This feature can easily be re-installed if it is required in the future. Remember that there are many other viruses that do not use the Windows Scripting Host, so it is critical that you continue to use Norton AntiVirus protection with the most up-to-date virus definitions.


Before you begin: If you are using Norton AntiVirus 2001 and you have downloaded and installed the Script Blocking update, or you are using Norton AntiVirus 2002/2003/2004, and Script Blocking is enabled, this is neither necessary nor recommended. The Script Blocking feature will prevent potentially malicious scripts from running, and will still allow you to run the required scripts.


How to disable (or re-enable) the Windows Scripting Host:
The program, Noscript.exe, will disable the Windows Scripting Host; this will prevent viruses from executing automated scripts.
Note: Disabling the WSH will prevent all the scripts from running on the system.
  1. Download Noscript.exe to a folder on the hard disk.
  2. Double-click the Noscript.exe icon. The Norton Script Disabler/Enabler appears.
    • If the WSH is currently enabled on the system, you will be prompted as to whether you want to disable it. To do so, click Disable, and then click OK.
    • If the WSH is currently disabled on the system, you will be prompted as to whether you want to enable it. To do so, click Enable, and then click OK.

The following are optional command-line parameters to Noscript.exe:
  • /silent
    This suppresses the enable/disable dialog and automatically disable WSH. If WSH has already been disabled, Noscript will do nothing.
  • /silent /on
    This suppresses the enable/disable dialog and automatically enables WSH. If WSH has already been enabled, Noscript will do nothing. The "/on" parameter must be used in conjunction with the "/silent" switch; it cannot be used by itself.

NOTE: If the command-line parameters are used, Noscript will not toggle the enabled/disabled state of WSH.

How does Noscript disable/enable the WSH?
It renames the file association classes for any class that has either Wscript.exe or Cscript.exe in its Shell\Open\Command or Shell\Open2\Command registry keys.

How to uninstall the WSH

Remove from the Control Panel (Windows 98 users only)
If you are running Windows 98, you can either use this method, or the method described in the second section. Follow these steps:

NOTE: This does not apply to Windows 98 Second Edition. If you are a Second Edition user, use the method described in the second section.
  1. Click Start, point to Settings, and click Control Panel.
  2. Double-click Add/Remove Programs.
  3. Click the Windows Setup tab.
  4. Double-click Accessories.
  5. Scroll down, if necessary, and locate the Windows Scripting Host entry.
    • If it is not in the Accessories list, then you will have to use the method described in the next section. Cancel all dialog boxes, close Control Panel, and then skip to the next section.
    • If it is in the Accessories list, select it and note whether it is checked or unchecked.
      • If it is not checked, it is not installed. Cancel all the dialog boxes and close the Control Panel.
      • If it is checked, uncheck it, click OK, and then click OK again. Close the Control Panel.
Remove the file from the system (any version of Windows)
With the exception of some versions of Windows 98, the Windows Scripting Host can be installed on the computer, but not be displayed in the Add/Remove Programs dialog box. For these and all versions of Windows, you can disable WSH by removing its executable file. Follow these steps to do this:
  1. Click Start, point to Find, and click Files or Folders.
  2. Make sure that Look in is pointed to either drive C or All Drives, if you have more than one.
  3. In the Named box, type wscript.exe,,and then click Find Now.
  4. Right-click the resultant file, and then do one of the following:
    • If you are sure that you will not need this, click Delete, and then click Yes to confirm.
    • If you want to keep a copy of this file so that you can easily re-install it later:
      1. Click Cut. (Do not click Copy.)
      2. Close the Find Files window.
      3. Double-click the My Computer icon on the Windows desktop.
      4. Insert a blank, formatted floppy disk into the floppy disk drive.
      5. Double-click the floppy disk drive icon, usually drive A.
      6. Click the File menu, and then click Paste.

  5. Optional: Because you have deleted or moved the Wscript.exe file, if you ever try to run a .vbs file, you will see a Program Not Found message. This is, of course, expected, and you can click Cancel. If you want to prevent this, however, you will have to remove the file association, as follows:
    1. Start Windows Explorer.
    2. Click View, and then click Options or Folder Options.
    3. Click the File Types tab.
    4. In the Registered file types list box, scroll down to select VBScript Script File.
    5. Click Remove, and then click Yes to confirm.
    6. Click OK, and then close all dialog boxes.