Last Updated: 2016-06-18 02:56:19 UTC
by Rob VandenBrink (Version: 2)
We can see this in the registry at:
and you'll find "jsfile" as a key
computer\hkey_classes_root\.js = jsfile
computer\hkey_classes_root\jsfile = wshext.dll
Or, when you check the file extension in explorer, Shazam!, it's Windows Script Host!
Worse yet, when you receive a JS file in an email, you'll see an icon that makes it look like it's a text or document file of some kind. On top of all of that, what we're seeing as a common SPAM practice that makes this more confusing for the folks reading their mail is a "double extension" approach - so these are arriving as "corporate layoffs.doc.js", "bonus Q2.xls.js" or "ups shipping notice.pdf.js" - when this shows up in your mail client, by default Windows (not so helpfully) won't display the "known file extension" of js, so your folks will see these as docs, excel sheets or pdf files.
In the spirit of "defense in depth" though, let's assume that one of our trusted business partners (who might be whitelisted in the spam filter) or one of our internal users (internal mail doesn't typically go through the spam filter) is already compromised. How do we protect our users in those scenarios? Let's re-associated .JS file with something that won't actually execute the file - how about notepad?
To do this for a single workstation, right-click on a .js file, and open it with notepad, be sure to click the "always use the selected program to open this kind of file" radio box when you do that.
For an entire organization, you can force the file association in Group Policy, at Computer Configuration / Preferences / Control Panel Settings / Folder Options, then add "New" / File Type
You can see here that we can change how the file opens, and even change the icon that's being displayed.
So if you're walking around the office, you can look for the screen that has 10 or 12 notepad files of code open, and feel good that there's one that didn't get infected! Or more likely (and sadly), check that machine to see how *else* they found to get infected :-)