-Z- (Z@Gundam.Com)
Wed, 10 Nov 1999 20:22:06 -0800


Here we go again, folks, this time with one that doesn't need human
intervention if you're using Outlook Express with Preview.

This Virus Alert is only for Windows 9x and Windows 2000 computers with
Internet Explorer 5.0 installed.

A new class of worm virus, called the "Bubbleboy", (named after a Seinfeld
episode) has been discovered. Delete (DO NOT OPEN!) any email with the
subject "Bubbleboy is Back!".

In Microsoft Outlook, the virus will launch if you just open the email.
This is contrary to everything that has been taught about self-executing
infected emails. In Outlook Express, the worm is automatically activated
if just "Preview Pane" is used.

Virus Name: VBS/Bubbleboy

Date Added: 11/8/99

Virus Characteristics:

This is an Internet worm that requires Internet Explorer 5 with Windows
Scripting Host installed (WSH is standard in Windows 98 and Windows 2000
installations). It does not run on Windows NT due to hard-coded
limitations. The Internet worm is embedded within an email message of HTML
format and does not contain an attachment. This worm is written in VB
Script. There are two variants; the .b variant is encrypted.

In MS Outlook, this worm requires that you "open" the email. It will not
run if using "Preview Pane".

In MS Outlook Express, the worm is activated if "Preview Pane" is used!

In both the above, if security settings for Internet Zone in IE5 are set to
High, the worm will not be executed. The vulnerability exploited by this
worm has been addressed by Microsoft with a security patch. Installing this
Internet Explorer patch will prevent the execution of this worm under
default security settings.

Microsoft "scriplet.typelib/Eyedog" Patch:
http://www.microsoft.com/security/Bulletins/ms99-032.asp

After the VB Script executes, it writes the file UPDATE.HTA to the local
machine and during the next Windows startup, the .HTA file is invoked. The
UPDATE.HTA file is coded to do the following-

* Change the registered owner via the registry to "BubbleBoy"

* Change the registered organization to "Vandelay Industries"

* Send itself embedded in an email message to EVERY contact in EVERY EMAIL
ADDRESS BOOK of MS Outlook

* Sets the registry key to indicate that the email distribution has
occurred. (Email distribution will not be repeated.)

The email is a message with the following information:

From: (person who sent worm unintentionally)
Subject: BubbleBoy is back!

Message Body: The BubbleBoy incident, pictures and sounds

http://www.towns.com/dorms/tom/bblboy.htm

(This is not a valid web page.)

Indications Of Infection:

File added to system:
C:\WINDOWS\Start Menu\Programs\StartUp\UPDATE.HTA

Registry modifications:
HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.0 by Zulu
or
HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.1 by Zulu

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner
= Bubbleboy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOrgan
ization = Vandelay Industries

-Z-

-
Gundam Mailing List Archives are available at http://gundam.aeug.org/



This archive was generated by hypermail 2.0b3 on Thu Nov 11 1999 - 13:24:51 JST