? Home | Site Map | Search | Contacts
About Us
Report Incidents
Incident Statistics
Security FAQS

Search NISER
? NISER > Alerts > MyCERT Advisories & Summaries > MA-015.111999: VBS/BubbleBoy Worm

MA-015.111999: VBS/BubbleBoy Worm
Original Issue Date: 11th November 1999


    1.1 Overview

    The BubbleBoy is an Internet worm that is able to infect without opening the attachment. The worm will execute immediately after the user has opened the message in Outlook. It works under Windows 98, Windows 2000 and other Windows operating systems with Windows Scripting Host (WHS) installed. It does not run on Windows NT due to hard-coded limitations. The Internet worm code is embedded within an email message in HTML format and thus, does not contain an attachment. However, if active scripting is disabled, the worm will not work. The BubbleBoy worm is NOT known to be in the wild.

    1.2 Limitation

    1.2.1 It requires Internet Explorer with Windows Scripting Host installed (WHS is standard in Windows 98 and Windows 2000 installation) and the use of Microsoft Outlook or Outlook Express.

    1.2.2 The payload will only triggered once the infected machine is rebooted.

    1.2.3 In MS Outlook, this worm requires that you "open" the email. It will not run if using "Preview Pane". However in Outlook Express, the worm is activated if "Preview Pane" is used.

    1.2.4 In both the above (1.2.2 and 1.2.3), if security settings for Internet Zone in IE5 are set to "High", the worm will not be executed.


    2.1 Installation

    The BubbleBoy worm arrives in an email that comes from a person who has sent the worm unintentionally. The Subject line of the email carrying BubbleBoy reads "BubbleBoy is Back!". The message contains an invalid URL ending in "bblboy.htm" and the message text "The BubbleBoy Incident, pictures and sounds."

    When user receives such email, and opens it, the worm creates two files:


    These locations specify the Windows startup directory for both English and Spanish versions. Therefore the worm will be executed after Windows has been restarted.

    Currently there are two known variants of this worm. The second one is encrypted.

    2.2 Functionality

    The next time Windows start, UPDATE.HTA executes its worm routines:

  1. It modifies the Windows registered owner to "BubbleBoy" and organization to "Vandelay Industries".

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner = Bubbleboy
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization = Vandelay Industries

  2. The worm use ActiveX feature to open Outlook and use it to send itself to ALL recipients in ALL address books, like W97M/Melissa does. After mass mailing has been done, the worm will show a message box with the text

      System error, delete "UPDATE.HTA" from the startup folder to solve the problem.

  3. It then set a registry key indicating the email distribution has occurred so that any BubbleBoy emails received subsequently will not spread.


    with value,

      OUTLOOK.BubbleBoy 1.0 by Zulu


    3.1 Prevention

    So far, the worm is NOT known to be in the wild. However, since the worm cannot execute if the IE5 security is set to high, users are adviced to follow the steps below:

  1. Start Internet Explorer 5.0 or later.

  2. Click on Tools --> Internet Options --->Security.

  3. Change the setting "High".

  4. Download and install Microsoft security patch at:

  5. Update your virus definition file of your antivirus software. The list of known anti-virus vendors are as listed in MyCERT's website (http://mycert.mimos.my/anti-virus.htm).

3.2 Detection

Modification of the registry entry as stated under 2.2 Functionality.

3.3 Removal

Delete the UPDATE.HTA file in the C:\WINDOWS\START MENU\PROGRAMS\STARTUP\ directory. Then, follow the steps as stated in section 3.1 Prevention.


Disclaimers and copyright information
Last Update April 19, 2001