Windows Scripting Host and Fake Antivirus

As a follow up to my previous post about the Windows Scripting Host (WSH), I should mention that I have seen a bunch of fake antivirus website pop-ups attempt to load a file called setup.exe.vbe by downloading the file via the browser and attempting to get wscript.exe to execute the malicious script. I have noticed that not all of these attempts have been caught by antivirus and virtually none of them by vendor-supplied network-based IPS signatures.

If you monitor change activity on your hosts, look for attempts by wscript.exe to execute a file called setup.exe.vbe and ensure that it was not successful.