Symantec United States
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2008 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy
security updates

VBS.BubbleBoy

Category 1

VBS.BubbleBoy is a worm that works under Windows 98 and Windows 2000. The worm also works under Windows 95, but only if the Windows Scripting Host is installed. The worm only works with the English and Spanish versions of these operating systems, and does not work under Windows NT.
The computer must use Microsoft Outlook (or Express) with Internet Explorer 5 in order for the worm to propagate.

The worm utilizes a known security hole in Microsoft Outlook/IE5 to insert a script file, Update.hta, when the email is viewed. It is not necessary to detach and run an attachment.

Update.hta is placed in the StartUp folder. Therefore, the infection routine is not executed until the next time you start your computer. Update.hta is a script file that uses MS Outlook to send the worm email message to everyone in the MS Outlook address book.

Patching the known security hole in Microsoft Outlook/IE5, prevents the worm from propagating. For further information regarding the security hole, please read the following Microsoft article:

http://www.microsoft.com/technet/security/bulletin/fq99-032.asp

Microsoft has provided a patch to fix this problem at http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

The worm will not propagate if IE5 Internet security settings have been set to "High."

Also Known As: VBS/BubbleBoy@MM [McAfee], I-Worm.BubbleBoy [AVP], VBS_BUBBLEBOY [Trend], VBS/BubbleBoy.Worm [CA], VBS/BubbleBoy [Panda], VBS/BubbleBoy-A [Sophos]
Type: Virus, Worm
Infection Length: 4992 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, UNIX, Linux
CVE References: CVE-1999-0668

protection
  • Virus Definitions (LiveUpdate™ Weekly)

    • November 15, 1999

  • Virus Definitions (Intelligent Updater)

    • November 15, 1999

    threat assessment

    Wild

    Threat Metrics
    Low Low Low

    Wild:
    Low

    Damage:
    Low

    Distribution:
    Low

    technical details

    If the security hole has not been patched, VBS.BubbleBoy inserts the Update.hta file as soon as the email is opened. The email contains the text

    Subject: BubbleBoy is back!

      The message body contains the text

      The BubbleBoy incident, pictures and sounds
      http:/ /www.towns.com/dorms/tom/bblboy.htm
        This is how the message appears:



        The body of the message is created with HTML using VBScript, which is not normally visible. The VBScript is executed without prompting the user (due to the security hole). The script creates and inserts a file named Update.hta into C:\Windows\Start Menu\Programs\StartUp or C:\Windows\MenĂº Inicio\Programas\Inicio.

        If neither of these directories exists, the worm fails. Update.hta also contains VBScript, which performs the mass-mailing routine. There is no attachment to the message; the worm is fully contained within the nonvisible VBScript inside of the message body. The worm automatically executes the next time Windows starts and performs the following steps:
        1. The worm changes the registered owner to BubbleBoy by modifying the following registry key:

          HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
          CurrentVersion\RegisteredOwner
        2. The worm changes the registered organization to Vandelay Industries by modifying the following registry key:

          HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
          CurrentVersion\RegisteredOrganization
        3. The worm checks to see whether the registry key

          HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\

          has been set to

          OUTLOOK.BubbleBoy 1.0 by Zulu

          If the registry has already been set, then the worm will not continue to perform its infection routine. This causes the worm to perform its mass mailing routine only once.
        4. Using MAPI, the worm composes an email message to everyone in the MS Outlook address book. The subject and body of the message are described above. No record of the sent messages appears in MS Outlook.
        5. Next, the worm sets the registry key

          HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\ =OUTLOOK.Bubbleboy 1.0 by Zulu

          to mark the execution of its worm routine.
        6. Finally, the worm displays a window with the following text:

          System error, delete "UPDATE.HTA" from the startup folder to solve this problem

        Variant notes

        The B variant (also detected as VBS.BubbleBoy) is encrypted. The registry entry to mark the worm routine execution is

        HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\ =OUTLOOK.Bubbleboy 1.1 by Zulu

        recommendations

        Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

        • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
        • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
        • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
        • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
        • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
        • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
        • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

        removal instructions

        To remove this worm:

        1. Delete the following files:

          C:\Windows\Start Menu\Programs\StartUp\Update.hta
          C:\Windows\MenĂº Inicio\Programas\Inicio\Update.
        2. Restore the following registry keys to their proper values:

          HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
          CurrentVersion\RegisteredOwner
          HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
          CurrentVersion\RegisteredOrganization
        3. Remove the following registry key:

          HKLM\Software\OUTLOOK.BubbleBoy\

          NOTE: Not removing this key will actually prevent the worm from propagating again.
        Prevention Information

        Microsoft has provided a patch to prevent the worm from propagating by viewing an infected email in Outlook. Security Response recommends downloading this patch from the following Web site:

        http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

        Also, Symantec Security Response recommends monitoring the following Web site for any Microsoft security updates:

        http://www.microsoft.com/security/default.asp


        Write-up by: Eric Chien and Raul Elnitiarta