The Bubble Boy Virus (from Symantec's Web Page)

This information is "from Symantec's
Anti-virus Research Center WEB site."

Infection Length: 4992 or 5204 bytes
Likelihood: Rare
Characteristics: Worm, Trojan Horse, VBScript, Outlook

Description

VBS.BubbleBoy is a worm that works under Windows 98, Windows 2000 and
other Windows operating systems with Windows Scripting Host installed.

The worm utilizes a known security hole in Microsoft Outlook to insert a
script file, UPDATE.HTA, when the email is opened.

UPDATE.HTA is inserted into the Program-StartUp of the Start menu. It is
a script file that uses MS Outlook to send the worm email message to
everyone in the MS Outlook address book.

For further details, read this posting

http://www.microsoft.com/Security/Bulletins/MS99-032faq.asp

Microsoft has also provided a patch to fix this problem at

http://www.microsoft.com/security/Bulletins/ms99-032.asp

Technical Description

If the security hole has not been patched, VBS.BubbleBoy will insert the
UPDATE.HTA file as soon as the email is opened. This script file is
inserted into the Program-Start-up folder of the Start Menu (usually
C:\WINDOWS\Start Menu\Programs\StartUp).

The next time Windows starts, UPDATE.HTA executes its worm routine:

Changes the registered owner (via the registry) to "BubbleBoy"
Changes the registered organization to "Vandelay Industries"
Sends an email message to everyone in the MS Outlook address book. The
email message contains the following text
Subject: BubbleBoy is back!

The BubbleBoy incident, pictures and
sounds http://www.towns.com/dorms/tom/bblboy.htm

Adds this registry entry:
HKLM\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.0 by Zulu
to mark the execution of its worm routine. If this registry entry exists,
it does not execute the worm routine.
Variant Notes

The B variant (also detected as VBS.BubbleBoy) is encrypted. The registry
entry to mark the worm routine execution is:

HKLM\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.0 by Zulu
Repair Notes

To remove this worm, simply delete the UPDATE.HTA (usually in
C:\WINDOWS\Start Menu\Programs\StartUp directory).

Please remember, Microsoft has provided a patch to fix this problem at

http://www.microsoft.com/security/Bulletins/ms99-032.asp

SARC recommends monitoring the following website for any Microsoft
security
update:

http://www.microsoft.com/security/default.asp

Back to Mike Beaver's Tech Support Page

Back to Mike Beaver's Hypnotherapy Home Page