Thursday, 2 August 2012
8/02/2012 09:35:00 pm 0

Be alert: "BubbleBoy is back!"

Do not open e-mail messages with the subject line “BubbleBoy is back”. The e-mail message could be infected with a dangerous new virus Bubble boy. The body of the message says "The BubbleBoy incident, pictures and sound" with the subject line “BubbleBoy is back!". 

The message looks like this: 

Here is some information about BubbleBoy: 
Discovery date: November 9, 1999
Date of latest update: February 13, 2007 11:33:09 AM
Other names for the virus:
VBS/BubbleBoy@MM [McAfee], I-Worm.BubbleBoy [AVP], VBS_BUBBLEBOY [Trend], VBS/BubbleBoy.Worm [CA], VBS/BubbleBoy [Panda], VBS/BubbleBoy-A [Sophos]
Type: Worm, Virus
Systems Affected: 
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

This worm affects English and Spanish versions of Windows 98 and Windows 2000 and Windows 95. It affects Windows 95, only if the Windows Scripting Host is installed. If you are a Window NT user, then no need to worry as, it does not work under Windows NT. It needs Microsoft Outlook or Express with Internet Explorer 5 to propagate. 

Any attachment needs not to be opened or executed in order to activate the virus. In Microsoft Outlook, it gets executed if a victim simply opens the e-mail. In Outlook 2000, you must open the e-mail message for the virus to spread; in Outlook 98 and Outlook Express the virus is activated if the Preview Pane is used.  Other email programs such as MS Exchange and Lotus Notes are also vulnerable to this threat.

The worm utilizes a known security hole in Microsoft Outlook/IE5 to insert a script file, Update.hta, when the email is viewed. 

How does it work?

  • The worm attempts to create two files, "C:\WINDOWS\START MENU\PROGRAMS\STARTUP\UPDATE.HTA" and "C:\WINDOWS\MENU INDICIO\PROGRAMS\INICIO\UPDATE.HTA". Update.hta is placed in the StartUp folder. 
  • Update.hta is a script file that runs when the system gets restarted .Then the worm uses ActiveX feature to access the system registry.
  •  Once activated, the virus assumes Seinfeld themes, changing the name of the computer’s owner to BubbleBoy, and the company name is changed to Vandelay Industries.
  • Finally the worm displays the following message:  
"System error, delete "UPDATE.HTA" from the startup folder to solve this problem."

It is a self replicating worm virus that reads user's Outlook address book and mails itself to addresses it finds. When this message appears to the user, the infected e-mails have been sent to all recipients already. 

How to prevent it from propagating?
If you receive a message with the subject heading "BubbleBoy is back!” you should delete it immediately and empty your Deleted Items folder. You can check the system manually. If the file "UPDATE.HTA" is present in the "C:\windows\start menu\programs\startup" folder, your PC is infected with this virus. 

Microsoft provides a security patch that prevents the worm from propagating. You can download the Update for Scriptlet.Typelib and Eyedog Security Vulnerability patch to prevent the BubbleBoy virus from affecting your system. You should install this security patch after deleting the BubbleBoy infected files. You can also try the major anti-virus software; they let you catch the virus before infecting your system.


Post a comment