Featured Article
VBS/Bubbleboy
VBS/Bubbleboy is the first virus that is able to propagate itself via email, without having to
open an attachment. This means all you have to do is highlight the
email and it will activate the virus.
It achieves this by exploiting security holes that exist in the treatment of ActiveX controls.
As stated by Microsoft on their MS99-032 Security Bulletin page:
"Microsoft has released a patch that eliminates security
vulnerabilities in two ActiveX controls. The net effect of the vulnerabilities is that a web page could take unauthorized action against a person
who visited it. Specifically, the web page would be able to do anything on the computer that the user
could do."
Frequently asked questions regarding this vulnerability can be found on Microsoft's
web site.
The infected email will include the following:
From: {name of infected user}
Subject: BubbleBoy is back!
Body: The BubbleBoy incident, pictures and sounds
http://www.towns.com/dorms/tom/bblboy.htm
The website to which the URL in the message body points does not actually exist.
The message actually contains an embedded HTML file which contains the viral Visual
Basic Script (VBS) code.
Assuming certain criteria are met the virus will activate:
- The machine has Internet Explorer 5, WSH and Outlook or Outlook Express installed
- The machine is running Windows 95/98
- The machine has not had the patch referred to in the MS99-032 Security Bulletin applied
- The security settings of the Internet zone in Internet Explorer are not set to 'High' then the viral code will run when the email is opened (and also when the email is previewed
in Outlook Express).
Upon running, a file (UPDATE.HTA) is dropped into the Windows startup directory. Upon
restarting therefore, UPDATE.HTA executes, and proceeds to edit the Registry:
- The registered owner of Windows is changed to 'Bubbleboy'
- Organization is changed to 'Vandelay Industries'
- A key is added as a marker
(key - HKEY_LOCAL_MACHINE \Software \OUTLOOK.BubbleBoy, value=
OUTLOOK.BubbleBoy 1.0 by Zulu)
- VBS/Bubbleboy mails a copy of itself to all the addresses listed in all the Outlook
address books.
We advise you to visit the web site of your antivirus product vendor
and obtain the latest updates that will ensure protection.