Compute

What's Bubble Boy Worm?
The BubbleBoy worm is a type of virus that is sent via email. It's primary purpose is to propagate itself. However, the potential of this virus or its variants is gigantic. It is the very first worm that is able to infect without opening the attachment. The worm will execute immediately after the user has opened the message in Outlook or Outlook Express. Teh worm propagates as an Outlook message. This message does not have a separate attachment, but the worm code is included inthe message itself (HTML formatted). However, if active scripting is disabled the worm will not work. The worm uses ActiveX features to open Outlook and use it to send itself to all recipients in all address books, like the Melissa virus does.

Download patch
Microsoft Patch for the "scriplet.typelib/Eyedog" Vulnerability

Link to MS FAQ
Microsoft's FAQ regarding the problem.

Link to MS BubbleBoy doc
Microsoft's Web site specifically regarding the BubbleBoy virus.

Link to MS patch page
Microsoft's Web site for patch download.

The information provided in this page was used from www.datafellows.com. Thank you.

Add Me!

 

 

HOME

Currently there are two known variants of this worm. The second one is encrypted.

Bubbleboy is only able to spread under Microsoft Outlook 98, Outlook 2000 and Outlook Express that comes with Internet Explorer 5. It does not replicate under Windows NT.

The message looks as follows:

From:      (name of infected user)
Subject:   BubbleBoy is back!
Body:      The BubbleBoy incident, pictues and sounds

The reference to Bubbleboy and the above link are references to a character in an episode in the TV show "Seinfeld". Although the link shown by the virus appears to be out of order, it si most likely the same page as available at http://www.toptown.com/dorms/rick/bblboy.htm

This page and it's maintainer have nothign to do with the virus.

The receiver of the email gets infected and spreads the worm without clicking any attachment. The message does not even have any attachments.

When the user receives such email, and opens it the worm creates two files,
"C:\Windows\Start Menu\Programs\Startup\Update.hta" and
"C:\Windows\Menu Indicio\Programs\Inicio\Update.hta".

These locations specify the Windows startup directory for both English and Spanish versions. Therefore the worm will be executed after Windows has been restarted.

Then, the worm will use the ActiveX feature to access the system registry. It modifies the Windows registered owner to "BubbleBoy" and organization to "Vandelay Industries". Also it adds a key to mark that emails have been sent.

The mass mailing is done only once per infected machine.

After mass mailing has been done, the worm will show a message box with the following text:

System error, delete "UPDATE.HTA" from the startup folder to solve the problem.

Bubbleboy uses a known security hole in Microsoft Outlook to create the local HTA file.

© 1999 Compute
Questions or Comments regarding this site can be directed to compute@localaccess.com

Get Visto