VBS:Bubbleboy

was found in November 1999. It is s the first view-activated Internet worm capable of infecting Windows 98 and Windows 2000 with Outlook and Internet Explorer installed. Worm arrives directly within an email message and automatically executes while the message is read on machines running Outlook or Outlook Express  without requiring the recipient to open any attachment. It uses the embedded HTML and VBS code. Bubbleboy is not reported to be In the Wild, has no dangerous payload and it seems to be a "proof-of-concept"  virus. Other viruse which use similar method will probably appear in the near future. Such viruses could have more malicious payloads and more advanced infection techniques.

Bubbleboy requires Internet Explorer 5 with Windows Scripting Host installed (the latter is standard in Windows 98 and Windows 2000). Virus will infect users running Microsoft Outlook and Outlook Express. In Outlook, it requires that user 
"opens" the infected email. In Outlook Express Bubbleboy activates even if the email is only viewed through the "Preview Pane". When the security settings for the Internet Zone in IE5 are set to High, the worm will not be executed.

When executed, Bubbleboy sends itself to every contact in every email address book of Outlook or Outlook Express. It will then set a registry key to indicate that the email distribution has occurred, and subsequent BubbleBoy arrivals will not spread. It also drops the file UPDATE.HTA into the STARTUP directory. Worm is able to infect only english and spanish version of Windows operating system. There are two variants of it - the other variant is encrypted.

Virus tries to change the system's registered owner and organization (via the registry) to "BubbleBoy" and "Vandelay  Idustries". The email message which carries the virus contains the following information:

    From:
    Subject: BubbleBoy is back!
    Body: The BubbleBoy incident, pictures and sounds

Protection:

Microsoft has released a patch on 31 August 1999 which could handle the unwanted VBS scripting. You can find it at http://www.microsoft.com/security/Bulletins/ms99-032.asp .
You may also wish to set  the security setting for Internet Explorer 5.0 to high. Also, if Windows Scripting is not needed, it should be un-installed. Companies can also use  a filtering mechanism at the email gateway to stop email messages containing the subject line: "BubbleBoy is back!"

To remove the worm from infected computer simply delete the UPDATE.HTA file (usually found in C:\WINDOWS\Start Menu\Programs\StartUp directory).

Virus
Virus dans la Nature Les virus de Windows Anciens virus de Win 2002 Anciens virus de Win 2001 Anciens virus de Win 2000 Virus de Script Macro-virus Résumé de rapport de Virus Fichier de test Eicar Historique de VPS
Services d'inscription
Service d'inscr. de VPS (iAVS)
avast! Virus Cleaner
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2009 ALWIL Software a.s.
Home page
Virus  virus-script  VBS:Bubbleboy