Name: VBS.Bubbleboy
Aliases: VBS/Bubbleboy
Type: Internet worm
Description:
VBS.Bubbleboy is an e-mail script worm that uses a vulnerability in English and Spanish versions of Internet Explorer 5.0, affecting Windows 98 and Windows 2000 systems. The worm is embedded in an e-mail message in HTML format - it is not an attachment. The worm can execute in Outlook Express while being previewed, prior to being opened. If using Microsoft Outlook, the worm requires that you open the mail message.
This virus is not in-the-wild. The risk is classified as low. Two variants have been
identified. Neither has a destructive payload. It is significant only because it is the
first infector to pose a risk without requiring the opening of an infected e-mail attachment,
but can execute during the preview function.
The worm is written in VBScript. When executed, it creates "UPDATE.HTA" in the Windows
startup directory. At the next system startup, the file will modify the registry to:
- Change the registered owner to "Bubble Boy"
- Change the registered organization to "Vandelay Industries"
The worm will then attempt to imbed itself in an e-mail message to all Outlook or Outlook Express Address Book entries once.
The message has the following text:
- From: [infected sender's name]
- Subject: "Bubble Boy is Back!"
- Message Body: "The Bubble Boy incident, pictures and sounds" and a URL link.
BubbleBoy exploits a security flaw in Microsoft’s ActiveX technology, involving the ActiveX components scriptlet.typelib and Eyedog. These components are marked "trusted", allowing them to take actions based on the user's privileges on that machine. Microsoft has issued a security patch for Internet Explorer that will prevent the worm from executing. This patch, and information regarding it, may be obtained from Microsoft's web site.
.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
