[TheGuide Logo]






About Raj

The BubbleBoy Worm Naah! This is not the same
by P. Shah

'Bubble boy' the new Email worm seems to have broken all the definitions, which were previously set to define viruses. This worm spreads via the Internet through infected email messages. It attaches itself to a message "without attachments" by activating its code from the message body. What makes this worm particularly nefarious is that it not only takes over your system resources, disk files and system registry, processes the Outlook address book and sends infected messages to the addresses in your list ....but if a user has the preview pane enabled while running Outlook Express, the system is infected without user intervention.

Consideration the security vulnerability and the wide usage of the MS Operating Systems Windows 98/2000,with Internet Explorer 5.0,MS Outlook 98/2000 or MS Outlook Express the effects of this bug could range from a damp squib on one side and a catastrophe on the other.

More about Bubbleboy:

Type: Email Worm
Platform: MS Windows with Internet Explorer 5.0, MS Outlook 98/2000 or MS Outlook Express

It could come to you in this form

From: {name of infected user}
Subject: BubbleBoy is back!
Body: The BubbleBoy incident, pictures and sounds

- This is a dead link

Technical Details:

The worm could enter your system in two ways.

Outlook Express allows the creation of messages in the creating messages in the HTML format. Since HTML format may contain code or VBS (Visual Basic Script) when a message is opened the code is executed.

It spreads further with what is called the "Scriptlet.Typelib" security vulnerability. After breaching the Internet explorer 5 securities it creates HTA files containing the worm code and puts the file in start-up. The script creates the "UPDATE.HTA" file in the "C:\WINDOWS\START MENU\PROGRAMS\STARTUP" directory. The next time you start your machine it automatically runs into the system distorting the files, registry and other resources without security alerts.

It assumes that Windows is always installed in the C:\WINDOWS directory, and incase you did not do so guess what? You are safe! The worm cannot create its file and fails to replicate further.

Here are few options:

1. Stop using the HTML applications by removing the file extensions ("Scriptlet.Typelib" security vulnerability)

  • In MyComputer choose View-> Options...
  • Under File Types tab in the 'registered file types' list box select "HTML Application"
  • Click remove button

2. Change the IE 5 security settings
(This may deny your access to certain sites)

  • Open the IE 5 explorer and go to Internet options
  • Click the security tab
  • Under 'Security level for this zone' change the security from medium to high
  • Click the Ok Button

3. To eliminate the security loopholes you could use updates and patches supplied by the
the vendor

and install the updates scriptlet.typelib and eyedog

Additional Resources:
Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-032faq.asp

Additional References:

ZNET -- http://www.zdnet.com/zdnn/stories/news/0,4586,1018067,00.html
Wired -- http://www.wired.com/news/reuters/0,1349,32434,00.html
Virus Bulletin -- http://www.virusbtn.com/VirusInformation/bboy.html
AVP antivirus --



Copyright 1999 Dr. Raj Mehta. All rights reserved.