National Infrastructure Protection Center (NIPC) Information Systems BubbleBoy Virus/Worm November 12, 1999 Discovery Date: 11/8/99 Type: VBScript Variants: A, B Risk: Medium November 12, 1999 The virus known as "BubbleBoy," first seen by the antiviral community on Monday, has now been posted to a public Website in Japan that is devoted to virus writing. The BubbleBoy virus is the first e-mail-borne computer script that does not require a user to open an e-mail or e-mail attachment to infect its host. To date, there have been no reported victims of the virus, but since it is now available for download and imitation by virus writers, its release "into the wild" the Internet community and the appearance of destructive variants are highly likely. While its current variants are relatively harmless, in the past similar scripts have been quickly modified by virus writers to include destructive payloads (programs that modify or erase files, for example). BubbleBoy's potential danger, plus the ease with which it is capable of spreading, warrant a medium risk level. The virus requires Internet Explorer 5.0 (IE5) with Windows Scripting Host installed (standard in MS Windows 98 and 2000) and the use of Microsoft Outlook or Outlook Express. According to Microsoft, in Outlook a user must open the e-mail for the virus to spread, while in Outlook Express the virus is activated even if the user only uses the Preview Panel. The virus is not activated by any other e-mail clients, nor can it run on any operating system other than Windows 95/98. Also, if system users or administrators set IE5 security to high, the current variants of BubbleBoy cannot be executed. BubbleBoy appears as an e-mail with "BubbleBoy is Back!" in the subject line. It is embedded within an HTML formated e-mail message and so does not require an e-mail attachment host. Written in Visual Basic Script, the virus writes the file UPDATE.HTA to the local machine and during the next Windows startup, the .HTA file is invoked. In its current variations, the virus changes the system's owner to "BubbleBoy" and the organization to "Vandelay Industries." It then mails itself to all users in the Outlook address book. (It also sets the registry key to indicate that the e-mail distribution has occurred.) It is possible that future variants will have different characteristics. The virus takes advantage of a security hole in IE5, discovered in August, that allows two potentially malicious ActiveX controls (scriptlet.typelib and Eyedog) to run. Therefore, installing a patch for this hole will prevent the BubbleBoy virus from propagating. The NIPC encourages computer users to contact their anti-virus vendor for the latest anti- virus updates. Users of Internet Explorer are encouraged to download the IE5 patch at: http://www.microsoft.com/security/bullentins/ms99-032.asp. Recipients are strongly encouraged to report any evidence of infection to the CERT Coordination Center, your local FBI Field Office, the NIPC Watch and Warning Unit, or military or civilian computer response organization, as appropriate. The NIPC Watch and Warning Unit can be reached at NIPC.WATCH@FBI.GOV. [1]Back to Advisories, Alerts and Warnings References 1. http://www.fbi.gov/nipc/nipcaaw.htm