Back       Home       Bottom

ALSO SEE:      TOURBUS article 2
TOURBUS article 1

The following message was forwarded to me by a friend:

From: "Leo Rousseau" <yoga@net1plus.com>
Subject: VIRUS WARNING!
Date: Fri, 12 Nov 1999 10:27:47 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.2120.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2120.0
VIRUS WARNING!
From: "Leo Rousseau" <Yoga@net1plus.com

Hi to All

As a "List Owner / Operator" it is my duty to inform you of this new computer virus.

The following should be taken seriously - it is the first of a new and dangerous strain of virus that affects only Outlook or Outlook Express users. You don't even need to open the mail anymore, just preview it on screen.

Netscape users have nothing to worry about.

Microsoft has provided a patch to fix this problem. You can find it at http://www.microsoft.com/security/Bulletins/ms99-032.asp

There are several free "patches" provided by Microsoft for the windows system. Please spend the time to update your software with ALL the security patches. Thank You.

The actual e-mail message will come to a user's system with the "from" line referring to the person who unintentionally sent it and the subject line reading, "BubbleBoy is back!" The body of the message will contain a black screen and the text, "The BubbleBoy incident, pictures and sounds," along with an invalid URL ending in "bblboy.htm."

You need not read any further unless you are curious.

New virus or worm information.

Bubbleboy only requires that the email be previewed on the Inbox screen of Microsoft Outlook and Outlook Express. As soon as the email is highlighted, without even clicking on the mouse, it infects the computer.

Security vendors have also found that if the worm is discovered before it infects a machine, it can be removed before it spreads the damage further.

BubbleBoy, upon infection, will leave a new file, Update.hta, in the C:\Windows\Start Menu\Programs\Startup directory. When an infected system reboots, the worm will then send itself to the names in the address book.

Before restarting a computer however, it is possible to delete Update.hta, along with the original message, to halt the infection before it can spread.

The worm utilizes a know security hole, that you can patch, in Microsoft Outlook/ IE5.  It inserts a script file, UPDATE.HTA when the email is viewed. It is not necessary to detach and run an attachment. BubbleBoy will infect users running Microsoft Outlook and Outlook Express. In Outlook, this worm requires that you open the e-mail message, and will not run if the message is viewed through the "Preview Pane." In Outlook Express, the worm activates even if the infected e-mail message is only viewed through the "Preview Pane." In all cases, if the security settings for the Internet Zone in IE5 are set to High, the worm will not be executed.

Once activated, BubbleBoy will send itself to every contact in every Outlook or Outlook Express e-mail address book, but the worm itself does not carry a dangerous payload. BubbleBoy is a worm and not a virus because it is network aware, and it propagates itself using the same mass-mailing feature as the notorious Melissa virus.

Users will not immediately realize they have been infected, as there are no effects to a user's system other than the change - via the registry - of the system's registered owner and organization to "BubbleBoy" and "Vandelay Industries" respectively.

To infect a system, the Internet worm requires Internet Explorer 5 (IE5) with Windows Scripting Host installed, which is standard in Windows 98 and Windows 2000 installations. It does not seem to run on Windows NT, at this time.

After infecting a system, BubbleBoy will set a registry key to indicate that the e-mail distribution has occurred, and subsequent re-infections of BubbleBoy will not spread again from the same machine.

The actual danger from BubbleBoy is low, as it does not include a dangerous payload, and security vendors stress that no one has actually been infected with the worm as of yet, but the danger of so many infected e-mail messages launching from an e-mail system at once could be devastating enough.

"If it were to really kick in, it could get worse than the fury of Melissa," said Vincent Gullotto, director of the Anti-Virus Emergency Response Team for NAI. "Because it's everybody in every single address book that you have."

BubbleBoy was sent anonymously to several antivirus vendors and organizations, possibly by the worm writer, and has been posted to underground virus sites. Copycat viruses that utilize BubbleBoy techniques
are almost a certainty.  "We fully expect this exploit to be utilized in the next year [by other viruses]," Gullotto said.

The first line of defense for users it to not open any e-mail messages with the subject line "BubbleBoy is back," and to set any filtering or content scanning systems to watch for and stop the same e-mailed subject line.

Antivirus vendors are currently offering updated virus recognition files to identify the attack.

Security vendor Trend Micro has also confirmed that an already-available patch from Microsoft will protect systems using IE5, according to Trend Micro's Schrader.

Because BubbleBoy is written in VB Script, it uses Microsoft Active X control mobile code to infect systems.
"This is using an Active X control that is marked as being safe to run," Schrader said. "It seems to use these Active X controls that are incorrectly marked for scripting. That's why you have to have the VB scripting enabled to let it work."

Schrader recommends that users update their security patches in IE 5 directly from Microsoft.
"Go to [the] 'Tools' [menu]  {{in IE, or click the Start button on the Taskbar -scb}}and 'Windows Update.' It will take you to a Microsoft page that will install all the latest security patches," Schrader said. "There have been quite a number of security patches."
 

Back       Home       Top