Tweaking WSH helps defend Windows PCs from malicious email attachments

Bad guys are always looking to abuse overlooked components of a system. On PCs, the Windows Script Host (WSH) was one such, often overlooked, component, but it's becoming more popular.

WSH can execute scripts written in many programming languages. Out of the box, it does JScript and VBScript but other languages, such as Perl and Python, can also be installed. 

JScript is Microsoft's version of JavaScript. Unlike the JavaScript that runs inside a web browser, JScript runs inside Windows and, compared to browser-based JavaScript, has additional, potentially dangerous, features.

Back in June, I wrote about defending a Windows computer from malicious JScript email attachments that install malware.  

JScript files end with .js; VB Script files end with .vbs. Each also comes in an encoded flavor, .jse for JScript and .vbe for VB Script. In addition, WSH supports .wsf files, which contain both JScript and VB Script. 

When I wrote about this last time, bad guys were only abusing JScript. Now, they have branched out.

Last month, Trend Micro wrote that they have started seeing malicious VBScript and WSF files:

In June and August, it appears Locky’s operators switched to using JavaScript attachments. However, this type of attachment is also known to download other ransomware families such as CryptoWall 3.0 and TeslaCrypt 4.0. We also noticed Locky employing VBScript attachments, likely because this can be easily obfuscated to evade scanners. Around mid-July to August, we started seeing Locky’s spam campaign using Windows Scripting file (WSF) attachments—which could explain how WSF became the second file type attachment most used by threats.

WSF files are chic and trendy.

Last week, Symantec confirmed the popularity of malicious WSF files. 

Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic ... between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line "Travel Itinerary." The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim's computer ... Over the past number of months, Symantec has noticed a significant increase in the overall numbers of emails being blocked containing malicious WSF attachments. From just over 22,000 in June, the figure shot up to more than 2 million in July. September was a record month, with more than 2.2 million emails blocked.


There are two defensive tactics against malicious script files: disabling the WSH component altogether and configuring Windows to open WSH files with Notepad rather than the Windows Script Host component.

Forcing Windows to open WSH files in Notepad is fairly simple and I described the procedure back in June for Windows 7, 8.1 and 10. If you prefer this option, be sure to do it for all five types of files. 

Interestingly, Windows Explorer displays very different information for these file types depending on whether they are processed by Notepad or WSH. Before changing anything, it looks like this:

Windows Explorer when WSH processes the five types of script files

After configuring Notepad to open these files, they are no longer "script" files, they are just files. 


Windows Explorer when Notepad processes the five types of script files

This approach assumes, however, that these are the only file types processed by WSH. As noted earlier, other scripting languages may have been installed. And, assorted sources on-line claim that WSH also runs .mod, .bas, .frm, .vb and .wsc files. My very limited testing found this not to be true, but maybe, under some circumstances it might be true.

With that in mind, disabling WSH entirely is a much bigger hammer. Disabling it is the strongest option available as WSH can not be un-installed.

WSH is disabled by adding a new key to the registry (make a restore point first). The location of the new key determines if WSH is disabled system-wide or just for the currently logged in user.

According to Trend Micro, the key is a REG_DWORD called "Enabled", and it needs to be set to zero. To disable WSH for the current Windows user, add the key under

HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\

To disable it system wide, add the key under

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\

You can verify that WSH is disabled from the command prompt with the cscript and wscript commands.


What the wscript command looks like after WSH has been disabled

All this said, is it really worth the trouble? If you read email on a Windows computer, do yourself a favor and use a different operating system, at least for email.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon