| Name
|
BubbleBoy
|
| A.K.A
|
Seinfeld, BBV
|
| Type
|
e-mail worm
|
| Author
|
Zulu
|
| size
|
4992 bytes
|
|
|
BubbleBoy is an Internet worm that requires Internet Explorer 5 with Windows Scripting Host installed (WSH is standard in Windows 98 and Windows 2000 installations). It does not run on Windows NT due to hard-coded limitations. BubbleBoy is embedded within an email message of HTML format and does not contain an attachment. BubbleBoy is written in VB Script. There are two variants; the .b variant is encrypted. In MS Outlook, BubbleBoy requires that you "open" the email. BubbleBoy will not run if using "Preview Pane". In MS Outlook Express, the worm is activated if "Preview Pane" is used!
After the VB Script executes, BubbleBoy writes the file UPDATE.HTA to the local machine and during the next Windows startup, the .HTA file is invoked. The UPDATE.HTA file is coded to do the following-
- Change the registered owner via the
registry to "BubbleBoy"
- Change the registered organization to
"Vandelay Industries"
- Send itself embedded in an email message
to every contact in the address book of Microsoft Outlook
- Sets the registry key to indicate that the email distribution has occurred. This will prevent itself from continuously re-sending the emails
The message sent by BubbleBoy looks as follows:
From: (name of infected user)
Subject: BubbleBoy is back!
Body: The BubbleBoy incident, pictures and sounds http://www.towns.com/dorms/tom/bblboy.htm
The page that the URL refers to does not exist, however it seems that it should refer to http://www.toptown.com/dorms/rick/bblboy.htm
which is a web page with details of the "Bubble Boy" episode of the Seinfeld TV series.
To protect yourself from BubbleBoy and similar viruses, you should download the patch released by
Microsoft Corporation on their website.
To get details of the LoveLetter virus and other late-breaking news - click here.
If you live in Georgia, USA, there is a great Atlanta virus removal specialist that can help you out.
