Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


BEWARE OF VBS/BUBBLEBOY WORM

Virus Name  : VBS/BubbleBoy

Alias             : Wscript.BubbleBoy

Virus type    : Internet worm

Threat level : Low

Virus details :

                     VBS/Bubbleboy is the first e-mail worm to infect computers without using attachments. Historically, as long as you don't open e-mail attachments you're safe from virus infection, but this changes all that. It uses a vulnerability discovered by Georgi Guninski in which many versions of Internet Explorer 5 allow any HTML file or e-mail to write files without ActiveX authorization. It will ONLY infect PCs running Windows 98 with Internet Explorer 5 and Outlook or Outlook Express.

                     When viewing the e-mail in OUTLOOK or OUTLOOK EXPRESS, the VBScript code in it will create "UPDATE.HTA" in startup directory. This will only work in english and spanish Windows versions. This file will be run at next startup, it will change the registered owner to "BubbleBoy" and the registered organization to "Vandelay Industries". Then it will try to use OUTLOOK to send the e-mail worm to all contacts of each list of the address book. The e-mail subject will be "BubbleBoy is back!" and the body will have the text "The BubbleBoy incident, pictures and sounds" and a link to an URL

                     The OUTLOOK code won't be run if the "HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\" registry key has the "OUTLOOK.BubbleBoy 1.0 by Zulu" value, or "OUTLOOK.BubbleBoy 1.1 by Zulu" in case of the 1.1 version. If it doesn't exist it will be created, so the mails won't be send more than one time. Finallly the worm displays the following message:

"System error, delete "UPDATE.HTA" from the startup folder to solve this problem."

                     So, "UPDATE.HTA" will be created when viewing the e-mail in OUTLOOK or OUTLOOK EXPRESS, because of this, the little payload (changing the registration information) will work on both mail clients, but the e-mail worm will be send in OUTLOOK only.

Changes between 1.0 and 1.1:

- The HTA file used at startup is now VBScript encoded.

How can I protect my system?

                   Solo has incorporated bubbleboy in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

                    Microsoft have released a patch to deal with this security problem which we strongly recommend users install. For further information and to download the patch please view http://www.microsoft.com/TechNet/IE/tools/scrpteye.asp. You should install this security patch after deleting the bubbleboy infected files. Otherwise it will catch you again.

How to remove this worm?

                     You can check the system manually. This worm creates the file "UPDATE.HTA" in the "C:\windows\start menu\programs\startup" folder. If the file is present in the folder, your PC is infected with this virus.

                   If you are already infected with this worm, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove Bubbleboy safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link