DonkBoy Internet
Home of the famous
Information Archives.
"For the curious"
Best viewed @ 1024 x 768
For your security, Turn off cookies.
The old rules for protecting computers from e-mail borne viruses
don't apply anymore. In the past, computer users were advised that
the only way their computer could catch a virus was by opening the
attachments that came with the virus carrying e-mail.
According to Sal Viveros, group marketing manager for Total Virus
Defense at Network Associates Inc. [NASDAQ:NETA], a new virus,
first discovered about 10:00 PM PST last night, "blew all those
theories out of the water." That's how he described the new virus,
called "BubbleBoy" to Newsbytes.
What makes this new virus so potentially dangerous and infectious
is that this new Internet borne virus arrives embedded within an e-
mail message and automatically executes on machines running certain
popular e-mail applications, without requiring the recipient to
open any attachment.
According to Viveros, the first known example of the virus was sent
to AVERT (Anti-Virus Emergency Response Team), a division of NAI
labs at Network Associates Inc. Viveros told Newsbytes that AVERT
believes that the virus, which was sent anonymously, was actually
sent by the creator of the virus.
As of yet, Viveros said, there has been no indication that there
have been any other recipients of the virus. That is why, for now
at least, AVERT has given the virus a risk assessment of "Low."
According to AVERT and Network Associates, the BubbleBoy virus
carries no payload and is a "proof-of-concept" virus, setting the
stage for other viruses that could have more malicious payloads or
broader-reaching infection techniques.
Users will not immediately realize that they have been infected.
Other than the actions taken by the virus to spread itself in one
e-mail blast, there are no effects to a user's system other than
the change of the system's registered owner and organization (via
the registry) to "BubbleBoy" and "Vandelay Industries"
respectively.
However, Viveros cautioned that the virus could easily be modified
to become more malignant.The infection vehicle is an e-mail message
with white on black color scheme and the following text:
From: (actual unknowing sender of the virus laden e-mail)
Subject: BubbleBoy is back!
Body: The BubbleBoy incident, pictures and sounds
The e-mail also includes an invalid URL (uniform resource locator)
ending in "bblboy.htm."
The BubbleBoy virus requires Internet Explorer 5 with Windows
Scripting Host (WSH) installed. WSH is standard in Windows 98 and
Windows 2000 installations.
The virus will infect users running Microsoft Outlook and Outlook
Express.In Outlook, this virus requires that the recipient "open"
the e-mail, and the virus will not run if the e-mail is only viewed
through the "Preview Pane."
In Outlook Express, the virus activates even if the e-mail is only
viewed through the "Preview Pane."
In all cases, if the security settings for the Internet Zone in IE5
are set to high, the virus will not be executed. Also, the virus
does not run on Windows NT.
Upon arrival on a non-infected system, BubblyBoy will send itself
to every contact in every e-mail address book of Outlook or Outlook
Express. It will then set a registry key to indicate that the e-
mail distribution has occurred, and subsequent BubbleBoy arrivals
will not spread.
The virus is written in VB script and two variants, one encrypted,
have been found to date.
According to Viveros, corporate customers should update their
antivirus software to combat BubblyBoy by updating the products as
prescribed by ADVERT.
------------------------------------------------------------
2) BubbleBoy E-mail Worm an Industry First
------------------------------------------------------------
Forrest Stroud, CWS Apps
For the first time an e-mail virus can be activated without the
need to open an attachment from a message. VBS/BubbleBoy is a
"proof-of-concept" e-mail worm that is spread via Outlook e-mail.
The worm resides in an HTML e-mail message with the subject line of
"BubbleBoy is back!".
The message in a BubbleBoy e-mail consists of an HTML page with
embedded hidden Visual Basic Script code that will be executed
without notifying the user if the user's Internet Explorer 5
security settings are set to medium or low.
Visible content in the page consists of the text "The BubbleBoy
incident, pictures and sounds" and a link to a Web page.
BubbleBoy uses a known Internet Explorer 5 exploit to write its
code ("update.hta") in the Windows startup directory. When the
computer is restarted the code executes. The worm is not compatible
with all language specific versions of Windows.
Additionally, if active scripting is disabled the worm will not
work. Bubbleboy is only able to spread under Microsoft Outlook 98,
Outlook 2000 and Outlook Express that comes with Internet
Explorer 5. It does not replicate under Windows NT.
BubbleBoy's mass mailing payload is comparable to that of the
Melissa virus. The worm first changes the owner's name to
"BubbleBoy" and the organization's name to "Vandelay Industries"
(of Seinfeld fame). The worm then sends a message to all entries in
the Outlook address book of the user. BubbleBoy next sets a flag to
automatically delete the message from the original user's inbox
after it has been submitted to all of its recipients.
Protection From BubbleBoy
One way to prevent the possibility of being infected with the
BubbleBoy worm is to download the "scriptlet.typelib/Eyedog"
Vulnerability Patch from Microsoft, which will eliminate the
vulnerability in the ActiveX control compromised by BubbleBoy.
A second way is to update your virus scanner with the latest virus
definition update.