McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Bubbleboy

Characteristics

This is an Internet worm that requires Internet Explorer 5 with Windows Scripting Host installed - WSH is standard in Windows 98 and Windows 2000 installations. It does not run on Windows NT due to hard-coded limitations. The Internet worm is embedded within an email message of HTML format and does not contain an attachment. This worm is written in VB Script. There are two variants, the .b variant is encrypted.
This worm affects only English and Spanish installation of Windows.
In MS Outlook, this worm requires that you open the email. It will not run if using Preview Pane.
In MS Outlook Express, the worm is activated if Preview Pane is used!
In both the above, if security settings for Internet Zone in IE5 are set to High, the worm will not be executed. The vulnerability exploited by this worm has been addressed by Microsoft with a security patch. Installing this Internet Explorer patch will prevent the execution of this worm under default security settings. Network Associates recommends to apply this patch for all desktops running IE.

Read about and download the Microsoft scriplet.typelib/Eyedog Patch
After the VB Script executes, it writes the file UPDATE.HTA to the local machine and during the next Windows startup, the .HTA file is invoked. The UPDATE.HTA file is coded to do the following-
* Change the registered owner via the registry to BubbleBoy

* Change the registered organization to Vandelay Industries

* Send itself embedded in an email message to EVERY contact in EVERY EMAIL ADDRESS BOOK of MS Outlook

* Sets the registry key to indicate that the email distribution has occurred. Email distribution will not be repeated.

The email is a message with the following information:

From: person who sent worm unintentionally

Subject: BubbleBoy is back!
Message Body: The BubbleBoy incident, pictures and sounds

http://www.towns.com/dorms/tom/bblboy.htm

This is not a valid web page.

Symptoms

Registry key modification:
HKLM\Software\ OUTLOOK.BubbleBoy= OUTLOOK.Bubbleboy 1.0 by Zulu
or
HKLM\Software\ OUTLOOK.BubbleBoy\= OUTLOOK.Bubbleboy 1.1 by Zulu

HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner = Bubbleboy
HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization= Vandelay Industries

NOTE:
AVERT Recommends scanning for all files at the gateway. For desktops add .HT? to the extensions list of files scanned by VShield for both the VirusScan 9x and VirusScan NT products. Adding .HT? to the extension list for on-demand scanning will provide protection as well.

AVERT recommends filtering the subject line with the WebShield SMTP product - see www.nai.com for more information about this product.

Method of Infection

This worm creates the file UPDATE.HTA in the C:\windows\startmenu\programs\startup folder. Upon Windows startup or restart, the worm code is invoked.
WebShield for Solaris 4.0
WebShield for Solaris 4.0 detects the BubbleBoy virus in SMTP mail when configured at the High scanning level and configured to Discard infected files. Mail messages carrying the virus will be sent to their destination with a notice of virus removal in place of the original HTML code.
Gauntlet 5.5 for UNIX
Gauntlet 5.5 for UNIX detects the BubbleBoy virus in SMTP mail when configured to use a Local scanning agent. The agent must be configured to scan All files and to Discard infected files. Mail messages carrying the virus will be sent to their destination with a notice of virus removal in place of the original HTML code.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

• VBS/Bubbleboy.A
• VBS/Bubbleboy.B

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Bubbleboy

Characteristics

Characteristics -

This is an Internet worm that requires Internet Explorer 5 with Windows Scripting Host installed - WSH is standard in Windows 98 and Windows 2000 installations. It does not run on Windows NT due to hard-coded limitations. The Internet worm is embedded within an email message of HTML format and does not contain an attachment. This worm is written in VB Script. There are two variants, the .b variant is encrypted.
This worm affects only English and Spanish installation of Windows.
In MS Outlook, this worm requires that you open the email. It will not run if using Preview Pane.
In MS Outlook Express, the worm is activated if Preview Pane is used!
In both the above, if security settings for Internet Zone in IE5 are set to High, the worm will not be executed. The vulnerability exploited by this worm has been addressed by Microsoft with a security patch. Installing this Internet Explorer patch will prevent the execution of this worm under default security settings. Network Associates recommends to apply this patch for all desktops running IE.

Read about and download the Microsoft scriplet.typelib/Eyedog Patch
After the VB Script executes, it writes the file UPDATE.HTA to the local machine and during the next Windows startup, the .HTA file is invoked. The UPDATE.HTA file is coded to do the following-
* Change the registered owner via the registry to BubbleBoy

* Change the registered organization to Vandelay Industries

* Send itself embedded in an email message to EVERY contact in EVERY EMAIL ADDRESS BOOK of MS Outlook

* Sets the registry key to indicate that the email distribution has occurred. Email distribution will not be repeated.

The email is a message with the following information:

From: person who sent worm unintentionally

Subject: BubbleBoy is back!
Message Body: The BubbleBoy incident, pictures and sounds

http://www.towns.com/dorms/tom/bblboy.htm

This is not a valid web page.

Symptoms

Symptoms -

Registry key modification:
HKLM\Software\ OUTLOOK.BubbleBoy= OUTLOOK.Bubbleboy 1.0 by Zulu
or
HKLM\Software\ OUTLOOK.BubbleBoy\= OUTLOOK.Bubbleboy 1.1 by Zulu

HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner = Bubbleboy
HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization= Vandelay Industries

NOTE:
AVERT Recommends scanning for all files at the gateway. For desktops add .HT? to the extensions list of files scanned by VShield for both the VirusScan 9x and VirusScan NT products. Adding .HT? to the extension list for on-demand scanning will provide protection as well.

AVERT recommends filtering the subject line with the WebShield SMTP product - see www.nai.com for more information about this product.

Method of Infection

Method of Infection -

This worm creates the file UPDATE.HTA in the C:\windows\startmenu\programs\startup folder. Upon Windows startup or restart, the worm code is invoked.
WebShield for Solaris 4.0
WebShield for Solaris 4.0 detects the BubbleBoy virus in SMTP mail when configured at the High scanning level and configured to Discard infected files. Mail messages carrying the virus will be sent to their destination with a notice of virus removal in place of the original HTML code.
Gauntlet 5.5 for UNIX
Gauntlet 5.5 for UNIX detects the BubbleBoy virus in SMTP mail when configured to use a Local scanning agent. The agent must be configured to scan All files and to Discard infected files. Mail messages carrying the virus will be sent to their destination with a notice of virus removal in place of the original HTML code.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

• VBS/Bubbleboy.A
• VBS/Bubbleboy.B