BubbleBoy: a New Generation of Internet-Based Malicious Code

09 Nov 1999
Virus News

The antidote is already discovered

Cambridge, UK, November 10, 1999 - Kaspersky Lab Int., an international anti-virus software vendor, reports the discovery of a new generation of Internet-based malicious code that constitute a real danger to all computer users and corporate networks. I-Worm.BubbleBoy is the first Internet-worm able to spread through e-mail without using attachments. It means that the worm can penetrate into the system right after the infected message has been read.

All previously known Internet-worms are using a common way of spreading while sending itself in attachments in e-mail messages. BubbleBoy penetrates into a system right after an infected message has been read and sends itself to e-mail addresses from MS Outlook address book without a user even to notice this.

"At this moment we have not been reported the cases of mass infections by this Internet-worm. However we should warn all the computer users to take all needed precautions in order to avoid the worm's further spreading", - said Eugene Kaspersky, head of anti-virus research at Kaspersky Lab.

Infection Indications

An infection by BubbleBoy can be recognised by the following. The worm indicates on it's presence by adding thses records into a system registry:

HKEY_LOCAL_MACHIN\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.0 by Zulu

or (depending to the version of the worm)

HKEY_LOCAL_MACHIN\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.1 by Zulu

as well as

HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\RegisteredOwner = Bubbleboy

HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\RegisteredOrganization = Vandelay Industries
Infection Prevention

To provide 100% security level against possible attacks by BubbleBoy worm you should follow one of these steps:

  1. Install an update from Microsoft that eliminates security "Scriptlet.Typelib" vulnerability. The update can be obtained at http://support.microsoft.com/support /kb/articles/Q240/3/08.ASP
  2. In case you do not use any HTML applications (HTA-files), you can secure your system by disabling file association for .HTA extension. To do so you should follow these steps:
    • Double click "My Computer" icon on desktop;
    • In appeared window choose menu "View" then "Options...";
    • On "File Types" tab in "Registered file types" listbox select "HTML Applicaton" item;
    • Click "Remove" button and confirm action;
    • Close options dialog box.
Technical Details