'BubbleBoy' infects via e-mail

A new malicious e-mail worm proves that you no longer have to open an attachment to infect your system with a virus.

While many users have learned the lessons of the past years virus infections and now refrain from opening strange attachments sent to them via e-mail, that may no longer keep them safe, following the release of a proof of concept worm, called BubbleBoy.

While only a "proof of concept" worm, and not "in the wild" infecting user systems, BubbleBoy reflects a new danger: you don't have to open attachments, but only open the e-mail to read it.

"It's the first of its type, because simply activating the e-mail that is infected will launch the virus," said Chris Williams, senior manager at NAI Labs, the research arm of Network Associates. "It totally bypasses the previous philosophy of 'don't open that attachment if you don't know what it is'."

Once activated, BubbleBoy will send itself to every contact in every Microsoft's Outlook or Outlook Express e-mail address book, but the worm itself does not carry a dangerous payload. BubbleBoy is a worm and not a virus, as it is network-aware and propagates itself using the same mass mailing feature as the Melissa virus.

Users will not immediately realise they have been infected, as the only effects are that the system's registered owner and organisation are changed, via the registry, to "BubbleBoy" and "Vandelay Industries", respectively.

The actual e-mail will come to a user's system with the "from" line referring to the person who unintentionally sent it and the subject line: "BubbleBoy is back!"

The body of the e-mail, when opened, will contain a black screen and the text, "The BubbleBoy incident, pictures and sounds," along with an invalid URL ending in "bblboy.htm."

To infect a system, this Internet worm requires Internet Explorer 5 with Windows Scripting Host installed, which is standard in Windows 98 and Windows 2000 installations. It does not seem to run on Windows NT, at this time.

It will infect users running Microsoft Outlook and Outlook Express. In Outlook, this worm requires that you "open" the e-mail, and will not run if the e-mail is viewed through the "Preview Pane." In Outlook Express, the worm activates even if the e-mail is only viewed through the "Preview Pane." In all cases, if the security settings for the Internet Zone in IE5 are set to High, the worm will not be executed.

After infection, BubbleBoy will set a registry key to indicate that the e-mail distribution has occurred, and subsequent re-infections of BubbleBoy will not spread again from the same machine.

The actual danger from BubbleBoy is low, as it does not include a dangerous payload, and hasn't been infecting systems, but the danger of so many infected e-mails launching from an e-mail system at once could be devastating enough.

"If it was to really kick, it could get worse than the fury of Melissa, because it's everybody in every single address book that you have." said Vincent Gullotto, director of the Anti-Virus Emergency Response Team for NAI.

BubbleBoy was sent anonymously to several antivirus vendors and organisations, possibly by the virus writer, and has been posted to underground virus sites. Copycat viruses that utilise BubbleBoy techniques are almost a certainty.

"We fully expect this exploit to be utilised in the next year (by other viruses)," said Gullotto.

The first line of defense for users it to not open any e-mails with the subject line "BubbleBoy is back", and to set any filtering or content scanning systems to watch for and stop the same e-mailed subject line. Antivirus vendors intend to provide updates to protect against the virus as soon as possible.

Security vendor Trend Micro is also investigating the possibility that an already available patch from Microsoft may protect systems, according to Dan Schrader, vice president of new technology.

As BubbleBoy is written in Visual Basic (VB) Script, it uses Microsoft Active X control mobile code to infect systems.

"This is using an Active X control that is marked as being safe to run," said Schrader. "It seems to use these Active X controls that are incorrectly marked for scripting. That's why you have to have the VB scripting enabled to let it work."

While still researching the worm, Schrader recommends that users update their security patches in Internet Explorer 5, directly from Microsoft.

"Go to tools and Windows update, it will take them to a Microsoft page that will install all the latest security patches," said Schrader. "There have been quite a number of security patches."

Beyond the danger of a new and easier method of infection represented by BubbleBoy, there also lies the hassle of investigating virus hoaxes that previously could have been dismissed out of hand.

Hoaxes, which are often distributed by well-meaning e-mail users to friends and colleagues, often warn of "not opening an e-mail" because it contains a virus. Now that may be true, according to Narender Mangalam, director of security strategies, for Computer Associates Inc., in Islandia, New York.

"Now we are not going to be able to ignore 'don't open this e-mail'," said Mangalam. "Now I'm going to have to investigate every single hoax. That affects the response time because we are going to have to look at all of these things."

Nevertheless, BubbleBoy proves what security experts have been worried about for years, that a virus or worm can infect a system with as little as opening an e-mail.

"The concept is quite scary," said Mangalam.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Nelson

PC World
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?