For the first time an e-mail virus can be activated without the need to open an attachment from a message. VBS/BubbleBoy is a "proof-of-concept" e-mail worm that is spread via Outlook e-mail. The worm resides in an HTML e-mail message with the subject line of "BubbleBoy is back!".
The message in a BubbleBoy e-mail consists of an HTML page with embedded hidden Visual Basic Script code that will be executed without notifying the user if the user's Internet Explorer 5 security settings are set to medium or low. Visible content in the page consists of the text "The BubbleBoy incident, pictures and sounds" and a link to a Web page.
The message looks as follows:
From: (name of infected user) Subject: BubbleBoy is back! Body: The BubbleBoy incident, pictures and sounds
BubbleBoy uses a known Internet Explorer 5 exploit to write its code ("update.hta") in the Windows startup directory. When the computer is restarted the code executes. The worm is not compatible with all language specific versions of Windows. Additionally, if active scripting is disabled the worm will not work. Bubbleboy is only able to spread under Microsoft Outlook 98, Outlook 2000 and Outlook Express that comes with Internet Explorer 5. It does not replicate under Windows NT.
BubbleBoy's mass mailing payload is comparable to that of the Melissa virus. The worm first changes the owner's name to "BubbleBoy" and the organization's name to "Vandelay Industries" (of Seinfeld fame). The worm then sends a message to all entries in the Outlook address book of the user. BubbleBoy next sets a flag to automatically delete the message from the original user's inbox after it has been submitted to all of its recipients.
Additional information on the BubbleBoy worm is available here. Protection From BubbleBoy
One way to prevent the possibility of being infected with the BubbleBoy worm is to download the "scriptlet.typelib/Eyedog" Vulnerability Patch from Microsoft, which will eliminate the vulnerability in the ActiveX control compromised by BubbleBoy.
A second way is to update your virus scanner with the latest virus definition update. We will be updating this page as new virus definitions are released with detection and/or removal support for VBS/BubbleBoy. For now these are the updated definitions available: New Definition Files
Inoculan Virus Definition Update 5.44 - Released on 11/10/99. The 11/10/99 and later releases offer support for BubbleBoy. Additional information is available here.
F-Secure Anti-Virus Virus Definition Update - Released on 11/9/99. The 11/9/99 and later releases offer support for BubbleBoy. More information from F-Secure is available here.
If you use any of the above virus scanners, we recommend downloading the virus definition updates listed above immediately.
*Thanks to Balita.org for giving permission to repost this report.
WIRED! Philippines is a monthly online magazine published and hosted by KabayanCentral.com
Copyright 1999 KabayanCentral.com. All rights reserved.