What's this BubbleBoy virus I've heard about?
VBS/BubbleBoy is the first virus to infect users when recipients
read an email. It does not depend on the user opening an
attachment. The virus is an email-aware worm that forwards itself
to users.
What does the email message look like?
The virus consists of an e-mail in the form:
From: <email user who has you in their address book>
Subject: BubbleBoy is back!
Message Text: The BubbleBoy incident, pictures and sounds
http://www.towns.com/dorms/tom/bblboy.htm
Does it do anything nasty?
The virus forwards itself to everyone in your Outlook address book
(a similar payload to WM97/Melissa). This could potentially
generate so much email traffic that companies may decide to turn
off their email servers.
How does it work?
The message contains an embedded HTML file containing a viral
Visual Basic Script. This file is NOT an attachment. If you
are using MS Outlook, the script is executed when you open the
email. If you are using MS Outlook Express, the script can be run
from the preview pane as well.
The script is able to activate because of a security hole in
Microsoft's products which allows two potentially malicious ActiveX
controls (scriptlet.typelib and Eyedog) to run.
Once the virus has run, it drops a file into the Windows startup
directory called UPDATE.HTA. Upon startup, this file executes and
edits the system registry. It then mails a copy of itself, using
Outlook, to every address in your Outlook address books.
Am I likely to be hit by it?
This virus is not considered to be in the wild. It appears to be a
"proof-of-concept" and the virus's author has sent his creation to
various anti-virus companies to taunt them with what he has
achieved.
The virus infects PCs that have Internet Explorer 5 and Windows
Scripting Host installed and use Outlook or Outlook Express as an
email reader. The code is specific to Windows 95/98 and will not
run successfully on other operating systems.
Users of non-Microsoft browsers or mailers are not affected.
Someone said it had something to do with
"Seinfeld"?
The virus author appears to be a fan of the American TV sitcom
"Seinfeld". The name "BubbleBoy" refers to an episode of Seinfeld
first aired on October 7, 1992. In the episode Jerry Seinfeld
agrees to visit a sick boy who lives in a plastic bubble.
Can't something be done about this guy? Isn't it illegal to
write viruses?
Writing viruses is not itself illegal. However, all viruses that
are spreading are making unauthorised modifications to your
computer system. This is a crime in many countries.
What can I do to protect myself?
The virus exploits security holes in Microsoft's implementation of
ActiveX. Microsoft have issued a patch which fixes these security
holes. For further information and to download the patch please
view Microsoft Security Bulletin
(MS99-032).
Sophos also recommends users consider disabling Windows
Scripting Host.
The two known variants of VBS/BubbleBoy are both detected by the
current version of Sophos Anti-Virus. Please refer to the virus
analysis for further information.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.