Bubbleboy worries the experts

It may be the most overexposed computer virus threat that never was -- yet.

Bubbleboy, the newest wrinkle in PC viruses unveiled last week, may hold the title for the most famed virus ever. But as far as is known, it hasn't infected a single PC.

Named after a character in an episode of the Seinfeld television series, Bubbleboy was sent anonymously to major antivirus research labs last Monday. Virus experts believe it originated in Argentina, and that it was sent to researchers as a "proof of concept" from a proud virus writer who wanted to show what he (most virus writers are male) had discovered. It has not gone into the "wild", the term virus researchers use when a virus becomes widespread among users.

Beyond the media hype, Bubbleboy (technically a worm rather than a virus) has the experts worried for two major reasons.

It's the first malicious software that arrives as an e-mail attachment and can infect a PC without the user actually having to open the attachment. And more worrisome still, updating antivirus software won't stop it.

"Users should worry, but not about Bubbleboy -- it's all the clones and variations that will come that are the worry," says Roger Thompson, technical director of malicious code research for the ICSA (an independent organisation that certifies antivirus and security software).

And now that the word is out, experts predict the technique will be used by copycat virus writers to write new viruses that could become widespread. And unlike Bubbleboy, which doesn't do anything harmful other than spread itself, the next generations could include malicious payloads.

It's all in your Outlook

Bubbleboy (and the variants expected to come) can only infect PCs running Microsoft Outlook or Outlook Express 5.0. Users of other e-mail programs can rest easy, at least for now. And it only affects PCs running Windows 98; Windows 95 and NT users aren't affected. (Windows 2000 users may be, although that will depend on the final release of the operating system.) Bubbleboy uses a technique that takes advantage of a security hole in Microsoft's Visual BASIC Scripting language, which is used in Microsoft Internet Explorer. It allows two potentially destructive ActiveX controls (called scriptlet.typelib and Eyedog) to run. If you use Outlook or Outlook Express with the program's preview pane open (the default setting), and you preview a message with a Bubbleboy-infected attachment, a script is automatically inserted in the Windows Start directory. The next time you start your PC, the script runs and sends infected files to all the names in your Outlook address book.

In addition, Bubbleboy changes Windows registry entries so that the registered owner of your PC becomes "Bubbleboy," and the registered organisation is "Vandelay Industries."

Fix it, but not with antivirus software

Because antivirus software can't change the settings in the Visual BASIC scripting language, antivirus updates, which normally catch the latest viruses, won't be able to stop Bubbleboy-type viruses, at least not until antivirus researchers figure out new techniques.

Meanwhile, there are some steps you can take.

In August, Microsoft posted a fix that blocks the problematic ActiveX controls. The ICSA's Thompson says, "It is absolutely essential that users apply Microsoft's patch, and plug the hole. The problem is that this will take time, so people need to jump on it." Although only Windows 98 users are affected at present, Microsoft recommends that all users of Outlook Express, no matter what operating system they use, should install the patch.

Another step is to uninstall the Windows scripting host. Although doing so can affect the browser display from some Web sites, the effects are usually minimal. To uninstall, go to Start, Settings, Control Panel, and double-click the Add/Remove Program icon. Click the Windows Setup Tab, choose Accessories, and click the Details button. Scroll down the list until you see the "Windows Scripting Host" entry and uncheck the box. Click the OK button.

Finally, though it's highly unlikely, if you suspect that your PC has been infected by Bubbleboy, immediately go to the directory Windows/Start Menu/Programs/StartUp before you shut down your computer and look for a file named UPDATE.HTA. If it's there, delete it to remove the virus. (Doing so won't restore the user and organisation names in the registry, but editing the registry is beyond our scope here.) Blocking attachmentsWhile the game of cat and mouse between virus writers and virus researchers continues unabated, the Bubbleboy threat makes it a whole new ballgame.

Some antivirus experts say that Bubbleboy may force some corporations, if not individual users, to go to the extreme measure of blocking all attachments from user e-mail. (Some antivirus software designed for networks can do this already, and it may appear in packages designed for stand-alone PCs.) Meanwhile, although Bubbleboy has changed the rules, experts underline that basic caution, such as deleting e-mail with attachments from unknown senders (and using a regularly updated antivirus package), can still eliminate the vast majority of threats.

And as a sound bite from an earlier TV series (Hill Street Blues) advises, "Be careful out there!"

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stan Miastkowski

PC World

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?