Press Releases

Browse our press release archive

10 Nov 1999

VBS/BubbleBoy FAQ

What's this BubbleBoy virus I've heard about?
VBS/BubbleBoy is the first virus to infect users when recipients read an email. It does not depend on the user opening an attachment. The virus is an email-aware worm that forwards itself to users.

What does the email message look like?
The virus consists of an e-mail in the form:

From: <email user who has you in their address book>
Subject: BubbleBoy is back!
Message Text: The BubbleBoy incident, pictures and sounds

VBS/BubbleBoy email message 

Does it do anything nasty?
The virus forwards itself to everyone in your Outlook address book (a similar payload to WM97/Melissa). This could potentially generate so much email traffic that companies may decide to turn off their email servers.

How does it work?
The message contains an embedded HTML file containing a viral Visual Basic Script. This file is NOT an attachment. If you are using MS Outlook, the script is executed when you open the email. If you are using MS Outlook Express, the script can be run from the preview pane as well.

The script is able to activate because of a security hole in Microsoft's products which allows two potentially malicious ActiveX controls (scriptlet.typelib and Eyedog) to run.

Once the virus has run, it drops a file into the Windows startup directory called UPDATE.HTA. Upon startup, this file executes and edits the system registry. It then mails a copy of itself, using Outlook, to every address in your Outlook address books.

Am I likely to be hit by it?
This virus is not considered to be in the wild. It appears to be a "proof-of-concept" and the virus's author has sent his creation to various anti-virus companies to taunt them with what he has achieved.

The virus infects PCs that have Internet Explorer 5 and Windows Scripting Host installed and use Outlook or Outlook Express as an email reader. The code is specific to Windows 95/98 and will not run successfully on other operating systems.

Users of non-Microsoft browsers or mailers are not affected.

Someone said it had something to do with "Seinfeld"?
The virus author appears to be a fan of the American TV sitcom "Seinfeld". The name "BubbleBoy" refers to an episode of Seinfeld first aired on October 7, 1992. In the episode Jerry Seinfeld agrees to visit a sick boy who lives in a plastic bubble.

Can't something be done about this guy? Isn't it illegal to write viruses?
Writing viruses is not itself illegal. However, all viruses that are spreading are making unauthorised modifications to your computer system. This is a crime in many countries.

What can I do to protect myself?
The virus exploits security holes in Microsoft's implementation of ActiveX. Microsoft have issued a patch which fixes these security holes. For further information and to download the patch please view Microsoft Security Bulletin (MS99-032).

Sophos also recommends users consider disabling Windows Scripting Host.

The two known variants of VBS/BubbleBoy are both detected by the current version of Sophos Anti-Virus. Please refer to the virus analysis for further information.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at