Newsbytes November 9, 1999 Attglobal Headlines

Email Messages Spread BubbleBoy Virus

By Sherman Fridman


SANTA CLARA, CALIFORNIA, U.S.A., 1999 NOV 9 (NB) -- By Sherman Fridman, Newsbytes. The old rules for protecting computers from e-mail borne viruses don't apply anymore. In the past, computer users were advised that the only way their computer could catch a virus was by opening the attachments that came with the virus carrying e-mail.

According to Sal Viveros, group marketing manager for Total Virus Defense at Network Associates Inc. [NASDAQ:NETA], a new virus, first discovered about 10:00 PM PST last night, "blew all those theories out of the water." That's how he described the new virus, called "BubbleBoy" to Newsbytes.

What makes this new virus so potentially dangerous and infectious is that this new Internet borne virus arrives embedded within an e-mail message and automatically executes on machines running certain popular e-mail applications, without requiring the recipient to open any attachment.

According to Viveros, the first known example of the virus was sent to AVERT (Anti-Virus Emergency Response Team), a division of NAI labs at Network Associates Inc. Viveros told Newsbytes that AVERT believes that the virus, which was sent anonymously, was actually sent by the creator of the virus.

As of yet, Viveros said, there has been no indication that there have been any other recipients of the virus. That is why, for now at least, AVERT has given the virus a risk assessment of "Low."

According to AVERT and Network Associates, the BubbleBoy virus carries no payload and is a "proof-of-concept" virus, setting the stage for other viruses that could have more malicious payloads or broader-reaching infection techniques.

Users will not immediately realize that they have been infected. Other than the actions taken by the virus to spread itself in one e-mail blast, there are no effects to a user's system other than the change of the system's registered owner and organization (via the registry) to "BubbleBoy" and "Vandelay Industries" respectively. However, Viveros cautioned that the virus could easily be modified to become more malignant.

The infection vehicle is an e-mail message with white on black color scheme and the following text:

From:   (actual unknowing sender of the virus
laden e-mail) Subject: BubbleBoy is back! Body: The BubbleBoy incident, pictures and sounds

The e-mail also includes an invalid URL (uniform resource locator) ending in "bblboy.htm."

The BubbleBoy virus requires Internet Explorer 5 with Windows Scripting Host (WSH) installed. WSH is standard in Windows 98 and Windows 2000 installations. The virus will infect users running Microsoft Outlook and Outlook Express.

In Outlook, this virus requires that the recipient "open" the e-mail, and the virus will not run if the e-mail is only viewed through the "Preview Pane."

In Outlook Express, the virus activates even if the e-mail is only viewed through the "Preview Pane."

In all cases, if the security settings for the Internet Zone in IE5 are set to high, the virus will not be executed. Also, the virus does not run on Windows NT.

Upon arrival on a non-infected system, BubblyBoy will send itself to every contact in every e-mail address book of Outlook or Outlook Express. It will then set a registry key to indicate that the e-mail distribution has occurred, and subsequent BubbleBoy arrivals will not spread.

The virus is written in VB script and two variants, one encrypted, have been found to date.

According to Viveros, corporate customers should update their antivirus software to combat BubblyBoy by updating the products as prescribed by ADVERT. The most current software can be found at...

http://www.nai.com .

Consumers can find protection and useful information at

http://www.McAfee.com .

Reported by newsbytes.com,

http://www.newsbytes.com