Quote

A new ransomware was discovered by security researchers @JAMESWT_MHT and @benkow_ called RAA that is made 100% from JavaScript. In the past we had seen a ransomware called Ransom32 that was created using NodeJS and packaged inside an executable. RAA is different, because it is is not delivered via an executable, but rather is a standard JS file.

When a JavaScript file, such as RAA, executes outside of the browser it requires an interpreter that can read the file and execute the JavaScript commands within it. As most people do not need to execute Javascript outside of a web browser, it is suggested that everyone disables the Windows Script Host so that these types of files are not allowed to execute.

If you wish to disable the windows script host, which is enabled by default in Windows, you can add the following DWORD Registry entry to your computer and set the value to 0.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled

source

WOW!

I have four dot js files called by the exec statement in macros and one stand-a-lone js home built backup system.

I think I may have a problem.

Can wscript.exe run if renamed and moved to a tools folder at KM root?

Hi James,

keep in mind that I'm not a programmer neither are my computing skills very bright.
However killing/renaming wscript.exe should be safe.

I also have a tool that needs the Script Host.
I found an easy way to circumvent the registry setting to disable Script Host, advised by Microsoft.

If I try to launch the .vbs the normal way I get the expected message that Script Host is disabled and I should contact my Admin bla, bla, bla.
If I launch the .vbs within a .RAR/.ZIP the registry setting has no effect anymore and the script does its job.

Here are many scripts to test and to play with.

You are making things harder.

Edit the file type (.js, .vba, .whatever), and set another action as default. For example, notepad, to edit it.

Problem solved

JohnHell,

what a wonderful savvy way of thinking and getting things done! I'm in awe!

Quote
JohnHell
You are making things harder.

Edit the file type (.js, .vba, .whatever), and set another action as default. For example, notepad, to edit it.

Your advice is fine but only as long as you don't have tools to run which need an interpreter/wscript.exe.
If I'd change the file association, the script would be passed to notepad or whatever I'd set the association for and thus not running anymore.
Using my method, the script keeps to be functional within a .RAR/.ZIP file but stops working outside the rared/zipped file due to the registry setting which disables the Script Host. So your scripts can run within the .ZIP files while all other scripts outside a packed file will be prevented from executing.

Edit:
Sorry JohnHell, after reading twice - of course your method works also fine.
In this case you change only file associations instead of disabling the Script Host and instruct per command your scripts to directly access the Script Host.



Edited 1 time(s). Last edit at 06/27/2016 10:00AM by Yogi.

All this sound good, but I am a little lost on how to convert my job to run from a zip file.

I press the windows key and R to get the run window where one of my command is as follows:
wscript.exe C:\users\murra\Desktop\pics7z.js

That runs this code which backs up fully 50% of my computer.

pics7z.js

/* pics7z.js by JamesD, version  1   2016-05-13

  store pictures and picture gallery
   
   WSH is part of Microsoft Internet Explorer 5.0 and newer. Latest version of WSH is
   available at http://msdn.microsoft.com/scripting/
*/

var Current_PicFolder_Path  = "C:\\Users\\murra\\Pictures\\*" ;
var Current_PicGallery_Path = "C:\\Users\\murra\\Picture Gallery\\*" ;
var Current_VidFolder_Path  = "C:\\Users\\murra\\Videos\\*" ;
var WshShell = new ActiveXObject("WScript.Shell");
var Outfile = "M:\\7z_bkups" ;
var Today = new Date() ;
var Outmo = Today.getMonth() +1; 
var Outmoday = Today.getUTCDate() ;
var Thisday = Outmo+"_"+Outmoday+"_" ;
var VidF_Outfile = Outfile+"\\"+Thisday+"Videos.7z" ;
var PicF_Outfile = Outfile+"\\"+Thisday+"Pictures.7z" ;
var PicG_Outfile = Outfile+"\\"+Thisday+"Picture Gallery.7z" ;


WScript.Sleep( 1000) ;

  var oExec = WshShell.Exec("C:\\Program Files\\7-Zip\\7zG.exe a \""+VidF_Outfile+"\" \""+Current_VidFolder_Path+"\"  -mx0 -w\""+Outfile+"\"");

while (oExec.Status == 0)
{
     WScript.Sleep(100);
}
WScript.Echo("One of three operations complete");

  var oExec = WshShell.Exec("C:\\Program Files\\7-Zip\\7zG.exe a \""+PicG_Outfile+"\" \""+Current_PicGallery_Path+"\" -mx0 -w\""+Outfile+"\"");
	
while (oExec.Status == 0)
{
     WScript.Sleep(100);
}
WScript.Echo("Two of three operations complete");

  var oExec = WshShell.Exec("C:\\Program Files\\7-Zip\\7zG.exe a \""+PicF_Outfile+"\" \""+Current_PicFolder_Path+"\"  -mx0 -w\""+Outfile+"\"");

while (oExec.Status == 0)
{
     WScript.Sleep(100);
}
WScript.Echo("Three of three operations complete");

James,

why not just to set associations as JohnHell said and convert your command to CMD-file?

Then simply change run command to execute this CMD...

@JamesD

Since one pic tells mor than 1000 words, this is my method: pic

As you can see I click the script to execute within the rared file. Outside the rared file it won't work because of my reg setting (Script Host disabled).

Use whatever method works better for you.

Would it work from within a .jar file too?
Because KM treats those as folder path, if the ending is left out. Or only in certain conditions, no idea.
Then again... on my modern job computer the Explorer treats zip-files as folder too. Perhaps it would work by just adding the vbs after the zip path... with or without the folder ending... just a thought, may well be wrong ;-)



Edited 1 time(s). Last edit at 06/26/2016 08:42AM by siria.

@Siria

- I don't have the Java SDK installed. I assume you need it to create .jar files.

- As far as I can follow you, it would make no sense to add the vbs after the zip path.
If the Script Host is disabled I assume that it won't work and if the Script Host isn't disabled than the zip makes no sense.
However you could test if my assumtion is right or wrong.

@JohnHell

See my edited post above.



Edited 1 time(s). Last edit at 06/27/2016 10:14AM by Yogi.

Uhm, I had hoped that you could test, since you can do those zip-tests
No, I don't have Java here on 98 either, but obviously KM just unzips them to run, no Java needed. The chrome-folder contains some natively, like console2.jar etc., and KM-old-version "addons" must be contained as *.jar too.
KM-URL e.g.
chrome://console2/content/console2.xul
shows KM/chrome/console2.jar (which unzipped contains console2.xul)



Edited 1 time(s). Last edit at 06/27/2016 10:35AM by siria.

Yogi

I have done something wrong. I added the dword to the registry and I get the correct error message when trying to use wscript. However I cannot seem to get the js file to run from a zip file.

I first put the command "wscript.exe C:\users\murra\Desktop\pics7z.js" in a bat file and zipped it and tried to click on the bat file in the zip. Got the error message.

Next I zipped the pics7z.js file and tried to click on that when the zip file was open. Got the error message.

Obviously I cannot read your picture correctly.

Edit: Forget all above. K-Meleon handles problem just fine.

Had thought I would have a problem with other wscript stuff once I had the enabled set to zero. Not so. Items with exec ("wscript") work just fine. Therefore I set the backups of pics to be run from KM. I moved the js file to macros in my profile.

Pics7z.kmm

#  K-Meleon Macros (http://kmeleon.sourceforge.net/wiki/index.php?id=MacroLanguage2)
#
# ---------- Pics7z.kmm
# ---------- K-Meleon Macro Language to run wscript backup of pictures, and videos   --
#
# Dependencies		: main.kmm
# Resources			: Pics7z.js
# Preferences		: -
# Version			: 1.0   2016-06-27
# --------------------------------------------------------------------------------------

_Pics7z_Staged {
	$_Pics7z_Staged_Flag = true ;
	}
	
_Pics7z_ExitRun {
	$_Pics7z_Staged_Flag == true ? exec("wscript.exe \"".$_Pics7z_Path."\" ") : 0 ;
	}

_Pics7z_BuildMenu{
	setmenu("&Tools",macro,"Backup Pic and Vid to M as 7z",_Pics7z_Staged, Misc);
	}

_Pics7z_GetPath{
### Pics7z.js is supposed to be located in the same folder as Pics7z.kmm (this file).
### If it isn't, Windows Script Host will notify the user.
### Double underscore makes variable local only.
$__Data=readfile(getfolder(MacroFolder)."\\Pics7z.kmm");
$_Pics7z_Path=getfolder($__Data==""?UserMacroFolder:MacroFolder)."\\Pics7z.js";
#  set global variables
$_Pics7z_Staged_Flag = false;
}

$OnQuit=$OnQuit."_Pics7z_ExitRun;";
$OnStartup=$OnStartup."_Pics7z_GetPath;";
$OnInit=$OnInit."_Pics7z_BuildMenu;";
#--------------------------------------------
$macroModules=$macroModules."Pics7z;";

Edited 1 time(s). Last edit at 06/27/2016 01:56PM by JamesD.

Quote
siria
Uhm, I had hoped that you could test, since you can do those zip-tests

Anybody with an archiver can do those tests too.
It was rather by coincidence than by zip testing that I discovered that scripts started within an archive can bypass the registry setting for Script Host.

Quote
siria
but obviously KM just unzips them to run, no Java needed. The chrome-folder contains some natively, like console2.jar etc., and KM-old-version "addons" must be contained as *.jar too.

Unziping a .jar archive is not the problem. You don't need the Java SDK for that. I assume that even all browsers can unpack some archive formats, be it .zip or .jar. To create a .jar archive you either need special software or you can do it per CMD assuming that you have the Java SDK installed. At least that's my understanding.
Anybody feel free to correct me if I'm wrong (again).

@James

I'm glad that it works.

BTW, did you check if your reg setting for Script Host has any effect at all?
I'm asking because I have made a short test. I made a dummy file with a .js extension. Then I tried to run the script from the command line.
I was promted with a message that access to Script Host is deactivated on this computer.

Quote
Yogi
BTW, did you check if your reg setting for Script Host has any effect at all?
I'm asking because I have made a short test. I made a dummy file with a .js extension. Then I tried to run the script from the command line.
I was promted with a message that access to Script Host is deactivated on this computer.

Yes, I get the same message now.

I never did get the zip thing to work. Still got the message when trying that.

I did find that js files would work when called by K-Meleon. That is the method that I am using.

A new piece of information that I just came across.

http://www.neowin.net/news/facebook-malware-spreading-to-users-via-google-chrome

Quote
JamesD
I did find that js files would work when called by K-Meleon.

That's normal and applies to any browser.

Quote
Yogi
Edit:
Sorry JohnHell, after reading twice - of course your method works also fine.
In this case you change only file associations instead of disabling the Script Host and instruct per command your scripts to directly access the Script Host.

Yep.

Also, you still have the command from the context menu. You are not loosing anything. Just changes the default behavior, so, in case of accident, nothing happens.

It is enough to be able to use scripts and prevent execution.

Tomorrow, they (crackers) will spread a .lnk+.js/.vbs, people would click the .lnk (wscript.exe blah,blah) and voilà.

I couldn't run scripts within compressed files either.

Insights of K-meleon should work. Web JS aren't system JS.

Distributed macros/extensions, just change how to call them, unless it is disabled in the target system, of course.

Quote
JamesD
A new piece of information that I just came across.
http://www.neowin.net/news/facebook-malware-spreading-to-users-via-google-chrome

Quote

For now, we advise users of Facebook to be extra careful of what they click on, and stay away from elements that might compromise their accounts.

As usual, just great. The only advice they ever have is "be extra careful". Ha ha... as if malware wouldn't long since be able to pretend coming from a friend or business contact, and one would have to be clairvoyant to realize it's fake! The only real chance of protection would be blocking JS (at least when it's not absolutely needed), or looking inside emails in plain text format first (e.g. using popman), disabling mail preview etc., but this is never even mentioned.
Always gives me the impression those warnings are just pretending, in reality they WANT people to stay vulnerable and fall into such traps. "Be careful"... ha ha... and how to become clairvoyant with a fake sender??

Most pages still work without really needing JS. What may not work fully, is loading unwelcome stuff. Like ads - and malware... But beware that people may block that! So such ridiculous "be cautious" warnings are in reality just trying to give people a fake sense of self-protection. But if they really want to protect themselves and are blocking some things they are advised to go back into caves. Yeah right, their words can be ignored, their actions are telling they WANT to keep people as vulnerable as possible.

Quote
JohnHell
I couldn't run scripts within compressed files either.

I see. My bad.

I should have been more thoughtful when proposing to open scripts within an archive.
While it works fine with clickable scripts like .vbs it can't be applied to file.js, since you can't tell per CMD: open file.js residing in C:\path\file.zip.
In my case I just have to open the archive and click on the .vbs inside. This way it works like a charm with Script Host disabled.
That's how I use UniConvertor. It's a tool that converts different vector graphic formats to .svg. It's a fine little utility that can handle even files which Inkscape or some online converters can't.

The final point is, you are right, the only viable way to execute all kind of scripts is to change file associations and leave Script Host enabled.



Edited 1 time(s). Last edit at 06/28/2016 12:24AM by Yogi.

Quote
JamesD
A new piece of information that I just came across.

http://www.neowin.net/news/facebook-malware-spreading-to-users-via-google-chrome

I repeat this for more than a year here in Russia: all the facebook-related malware is Chrome-based.