THE WELCH COMPANY
440 Davis Court #1602
San Francisco, CA 94111-2496
415 781 5700
S U M M A R Y
DIARY: November 10, 1999 12:16 PM Wednesday;
Rod Welch
Article on new computer virus attacking email, MS Outlook.
1...Summary/Objective
2...Bubble Boy Virus Attacks MS Office 2000, Outlook, But Not Netscape
3...Protection can be obtained from...
..............
Click here to comment!
CONTACTS
SUBJECTS
Security, Privacy - Discovery
Virus Protection
Office 2000 Risks Virus Problems
Virus Risk Office 2000
Bubble Boy
0907 - ..
0908 - Summary/Objective
0909 -
090901 - Follow up ref SDS 4 0674.
090902 -
090903 - Received two articles reporting new, more powerful computer virus
090904 - spread by email. It is not harmful now, but shows potential for future
090905 - problems using MS Internet Explorer and Outlook for email. Netscape
090906 - does not seem to be affected. ref SDS 0 5073 Microsoft has a patch to
090907 - block the virus. ref SDS 0 5952 New virus protection is available
090908 - from McAfee and Advert. ref SDS 0 2769
090909 -
090910 - Requested comments from Morris on steps he is taking to meet this
090911 - risk.
090912 -
090913 - Seems like an SDS environment is a big target of opportunity for this
090914 - kind of problem.
090915 -
090916 -
090917 -
090918 -
0910 -
0911 -
0912 - Progress
0913 -
091301 - ..
091302 - Bubble Boy Virus Attacks MS Office 2000, Outlook, But Not Netscape
091303 -
091304 - On 990727 report on Microsoft 2000 warned that new features pose new
091305 - risks that make invasion easier. ref SDS 4 0674
091306 -
091307 - Yesterday there was a report on the Internet of a new, more powerful
091308 - computer virus that is spread by email, called...
091309 -
091310 -
091311 - Bubble Boy
091312 -
091313 -
091314 - ...in an article published by Newsbyte. ref OF 3 0001
091315 -
091316 - A second article published by AP reports a patch is available to
091317 - protect against Bubble Boy. ref OF 4 0001
091318 -
091319 - This virus does not require opening an attachment. ref OF 3 3640
091320 -
091321 - The article reports speculation that the developers of the virus sent
091322 - it anonymously to a virus protection firm to demonstrate proof-of-
091323 - concept. ref OF 3 2537
091324 -
091325 - Virus requires Internet Explorer, Windows 98 and Outlook. ref OF 4
091326 - 4161 and ref OF 4 2262 and ref OF 4 5610
091327 -
091328 - In a call to Morris on 991113, Morris advised that Bubble Boy
091329 - takes advantage of a bug in Outlook, and so is not a Netscape
091330 - issue.
091331 -
091332 - Windows Sripting Host (WSH) is required for the virus to function.
091333 - ref OF 4 1188 and, ref OF 3 5550
091334 -
091335 - Sounds like WSH might be uninstalled to avoid the virus???
091336 -
091337 - Windows NT is not affected. ref OF 4 1188
091338 - ..
091339 - Netscape has not been shown to be affected. ref OF 4 5610
091340 -
091341 - In a call to Morris on 991113, Morris advised that Bubble Boy
091342 - takes advantage of a bug in Outlook, and so is not a Netscape
091343 - issue.
091344 -
091345 - Virus is spread by e-mail, ref OF 3 0550, with white on black color
091346 - scheme and the following text:
091347 -
091348 - From: (actual unknowing sender of the virus laden e-mail)
091349 -
091350 - Subject: BubbleBoy is back!
091351 -
091352 - Body: The BubbleBoy incident, pictures and sounds
091353 -
091354 - E-mail shows an invalid URL ending in "bblboy.htm."
091355 - ..
091356 - Virus takes every address in a computer's e-mail program
091357 - and passes the virus along, unless the computer user has
091358 - installed a patch distributed in August by Microsoft.
091359 - ref OF 4 2552
091360 -
091361 -
091362 - What is not clear is whether the email has to be opened in order to
091363 - trigger harmful effects, or whether it can be deleted immediately to
091364 - prevent triggering the virus.
091365 - ..
091366 - The article says upon arrival on a non-infected system,
091367 - BubblyBoy will send itself to every contact in every e-mail
091368 - address book of Outlook or Outlook Express. It will then set a
091369 - registry key to indicate that the e-mail distribution has
091370 - occurred, and subsequent BubbleBoy arrivals will not spread.
091371 - ref OF 3 2703
091372 -
091373 - The second article received today says this e-mail virus does
091374 - not need to be fully opened to be activated. Highlighting the
091375 - e-mail's subject line in Microsoft Outlook Express activates
091376 - its hidden code.
091377 -
091378 - This appears to conflict slightly with the report that the virus does
091379 - not execute until the email is opened in Outlook. ref SDS 0 1890
091380 -
091381 - In a call with Morris on 991113 he advised his understanding that
091382 - Buble Boy can only be activated if the email is opened. So it
091383 - can be deleted without opening it, to avoid harm.
091384 -
091385 - Users will not immediately realize that they have been infected.
091386 - ref OF 3 6391
091387 -
091388 - Virus spreads in one e-mail blast,
091389 -
091390 - Registry is changed to show System's owner is "BubbleBoy" and
091391 - organization is changed "Vandelay Industries"
091392 -
091393 - Destructive changes can be made, including data.
091394 -
091395 - BubbleBoy requires Internet Explorer 5 with Windows Scripting Host
091396 - (WSH) installed. WSH is standard in Windows 98 and Windows 2000
091397 - installations. The virus will infect users running Microsoft Outlook
091398 - and Outlook Express. ref OF 3 5550
091399 - ..
091400 - In Outlook, this virus requires that the recipient "open"
091401 - the e-mail, and the virus will not run if the e-mail is only
091402 - viewed through the "Preview Pane." ref OF 3 4356
091403 -
091404 - This seems to conflict slightly, with explanation above that
091405 - the virus executes upon arrival. ref SDS 0 6478
091406 -
091407 - In a call to Morris on 991113, Morris advised that Bubble Boy
091408 - takes advantage of a bug in Outlook, and so is not a Netscape
091409 - issue.
091410 -
091411 - In Outlook Express, the virus activates even if the e-mail is
091412 - only viewed through the "Preview Pane." ref OF 3 5329
091413 -
091414 - ..
091415 - Protection can be obtained from...
091416 -
091417 -
091418 - Advert
091419 -
091420 -
091421 - http://www.nai.com
091422 -
091423 -
091424 - ...and from...
091425 -
091426 - McAfee
091427 -
091428 -
091429 - http://www.McAfee.com .
091430 -
091431 -
091432 - ...as reported at ref OF 3 6000
091433 -
091434 -
091435 - Enabling Microsoft's highest-security e-mail filter will keep the
091436 - virus from entering.
091437 -
091438 - Microsoft spokesman Adam Sohn said Tuesday night that anyone who
091439 - downloaded the August upgrade to Internet Explorer 5.0 already is
091440 - protected from ``Bubbleboy.''
091441 -
091442 - These do not sound very reassuring. How long will it be until
091443 - these defenses are overcome?
091444 -
091445 - We are evolving into a siege mentality.
091446 -
091447 -
091448 -
091449 -
091450 -
091451 -
091452 -
0915 -