1.0 DESCRIPTION

1.1 Overview

The BubbleBoy is an Internet worm that is able to infect without opening the attachment. The worm will execute immediately after the user has opened the message in Outlook. It works under Windows 98, Windows 2000 and other Windows operating systems with Windows Scripting Host (WHS) installed. It does not run on Windows NT due to hard-coded limitations. The Internet worm code is embedded within an email message in HTML format and thus, does not contain an attachment. However, if active scripting is disabled, the worm will not work. The BubbleBoy worm is NOT known to be in the wild.

1.2 Limitation

1.2.1 It requires Internet Explorer with Windows Scripting Host installed (WHS is standard in Windows 98 and Windows 2000 installation) and the use of Microsoft Outlook or Outlook Express.

1.2.2 The payload will only triggered once the infected machine is rebooted.

1.2.3 In MS Outlook, this worm requires that you "open" the email. It will not run if using "Preview Pane". However in Outlook Express, the worm is activated if "Preview Pane" is used.

1.2.4 In both the above (1.2.2 and 1.2.3), if security settings for Internet Zone in IE5 are set to "High", the worm will not be executed.

2.0 TECHNICAL MATTERS

2.1 Installation

The BubbleBoy worm arrives in an email that comes from a person who has sent the worm unintentionally. The Subject line of the email carrying BubbleBoy reads "BubbleBoy is Back!". The message contains an invalid URL ending in "bblboy.htm" and the message text "The BubbleBoy Incident, pictures and sounds."

When user receives such email, and opens it, the worm creates two files:

C:\WINDOWS\START MENU\PROGRAMS\STARTUP\UPDATE.HTA
C:\WINDOWS\MENU INDICIO\PROGRAMS\INICIO\UPDATE.HTA

These locations specify the Windows startup directory for both English and Spanish versions. Therefore the worm will be executed after Windows has been restarted.

Currently there are two known variants of this worm. The second one is encrypted.

2.2 Functionality

The next time Windows start, UPDATE.HTA executes its worm routines:

1. It modifies the Windows registered owner to "BubbleBoy" and organization to "Vandelay Industries".

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner = Bubbleboy
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization = Vandelay Industries

2. The worm use ActiveX feature to open Outlook and use it to send itself to ALL recipients in ALL address books, like W97M/Melissa does. After mass mailing has been done, the worm will show a message box with the text

   System error, delete "UPDATE.HTA" from the startup folder to solve the problem.

   
   
   

3. It then set a registry key indicating the email distribution has occurred so that any BubbleBoy emails received subsequently will not spread.

   HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy

   with value,

   OUTLOOK.BubbleBoy 1.0 by Zulu

3.0 POSSIBLE STEPS

3.1 Prevention

So far, the worm is NOT known to be in the wild. However, since the worm cannot execute if the IE5 security is set to high, users are adviced to follow the steps below:

1. Start Internet Explorer 5.0 or later.

2. Click on Tools --> Internet Options --->Security.

3. Change the setting "High".

4. Download and install Microsoft security patch at:
   http://www.microsoft.com/security/bulletins/ms99-032.asp

5. Update your virus definition file of your antivirus software. The list of known anti-virus vendors are as listed in MyCERT's website (http://mycert.mimos.my/anti-virus.htm).

3.2 Detection

Modification of the registry entry as stated under 2.2 Functionality.

3.3 Removal

Delete the UPDATE.HTA file in the C:\WINDOWS\START MENU\PROGRAMS\STARTUP\ directory. Then, follow the steps as stated in section 3.1 Prevention.

4.0 MORE INFORMATION

To obtain more information on this virus, please refer to the following site :

4.1 DataFellows
http://www.datafellows.com/v-descs/bubb-boy.htm

4.2 Microsoft
http://www.microsoft.com/security/bulletins/ms99-032.asp

4.3 Network Associates
http://vil.nai.com/vil/vbs10418.asp

4.4 Symantec Antivirus Research Center
http://www.symantec.com/avcenter/venc/data/vbs.bubbleboy.html

4.5 Trendmicro
http://www.antivirus.com/vinfo/security/sa110999.htm