NISER > Alerts > MyCERT Advisories & Summaries > MA-015.111999: VBS/BubbleBoy Worm
MA-015.111999: VBS/BubbleBoy Worm
Original Issue Date: 11th November 1999
The BubbleBoy is an Internet worm that is able to infect without opening the attachment. The worm will execute immediately after the user has opened the message in Outlook. It works under Windows 98, Windows 2000 and other Windows operating systems with Windows Scripting Host (WHS) installed. It does not run on Windows NT due to hard-coded limitations. The Internet worm code is embedded within an email message in HTML format and thus, does not contain an attachment. However, if active scripting is disabled, the worm will not work. The BubbleBoy worm is NOT known to be in the wild.
1.2.1 It requires Internet Explorer with Windows Scripting Host installed (WHS is standard in Windows 98 and Windows 2000 installation) and the use of Microsoft Outlook or Outlook Express.
1.2.2 The payload will only triggered once the infected machine is rebooted.
1.2.3 In MS Outlook, this worm requires that you "open" the email. It will not run if using "Preview Pane". However in Outlook Express, the worm is activated if "Preview Pane" is used.
1.2.4 In both the above (1.2.2 and 1.2.3), if security settings for Internet Zone in IE5 are set to "High", the worm will not be executed.
2.0 TECHNICAL MATTERS
The BubbleBoy worm arrives in an email that comes from a person who has sent the worm unintentionally. The Subject line of the email carrying BubbleBoy reads "BubbleBoy is Back!". The message contains an invalid URL ending in "bblboy.htm" and the message text "The BubbleBoy Incident, pictures and sounds."
When user receives such email, and opens it, the worm creates two files:
These locations specify the Windows startup directory for both English and Spanish versions. Therefore the worm will be executed after Windows has been restarted.
Currently there are two known variants of this worm. The second one is encrypted.
The next time Windows start, UPDATE.HTA executes its worm routines:
It modifies the Windows registered owner to "BubbleBoy" and organization to "Vandelay Industries".
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner = Bubbleboy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization = Vandelay Industries
The worm use ActiveX feature to open Outlook and use it to send itself to ALL recipients in ALL address books, like W97M/Melissa does. After mass mailing has been done, the worm will show a message box with the text
System error, delete "UPDATE.HTA" from the startup folder to solve the problem.
It then set a registry key indicating the email distribution has occurred so that any BubbleBoy emails received subsequently will not spread.
3.0 POSSIBLE STEPS
So far, the worm is NOT known to be in the wild. However, since the worm cannot execute if the IE5 security is set to high, users are adviced to follow the steps below:
Start Internet Explorer 5.0 or later.
Click on Tools --> Internet Options --->Security.
Change the setting "High".
Download and install Microsoft security patch at:
Update your virus definition file of your antivirus software. The list of known anti-virus vendors are as listed in MyCERT's website (http://mycert.mimos.my/anti-virus.htm).
Modification of the registry entry as stated under 2.2 Functionality.
Delete the UPDATE.HTA file in the C:\WINDOWS\START MENU\PROGRAMS\STARTUP\ directory. Then, follow the steps as stated in section 3.1 Prevention.
4.0 MORE INFORMATION
Disclaimers and copyright information
Last Update April 19, 2001