Bubbleboy worries the experts
- — 15 November, 1999 21:49
It may be the most overexposed computer virus threat that never was -- yet.
Bubbleboy, the newest wrinkle in PC viruses unveiled last week, may hold the title for the most famed virus ever. But as far as is known, it hasn't infected a single PC.
Named after a character in an episode of the Seinfeld television series, Bubbleboy was sent anonymously to major antivirus research labs last Monday. Virus experts believe it originated in Argentina, and that it was sent to researchers as a "proof of concept" from a proud virus writer who wanted to show what he (most virus writers are male) had discovered. It has not gone into the "wild", the term virus researchers use when a virus becomes widespread among users.
Beyond the media hype, Bubbleboy (technically a worm rather than a virus) has the experts worried for two major reasons.
It's the first malicious software that arrives as an e-mail attachment and can infect a PC without the user actually having to open the attachment. And more worrisome still, updating antivirus software won't stop it.
"Users should worry, but not about Bubbleboy -- it's all the clones and variations that will come that are the worry," says Roger Thompson, technical director of malicious code research for the ICSA (an independent organisation that certifies antivirus and security software).
And now that the word is out, experts predict the technique will be used by copycat virus writers to write new viruses that could become widespread. And unlike Bubbleboy, which doesn't do anything harmful other than spread itself, the next generations could include malicious payloads.
It's all in your Outlook
Bubbleboy (and the variants expected to come) can only infect PCs running Microsoft Outlook or Outlook Express 5.0. Users of other e-mail programs can rest easy, at least for now. And it only affects PCs running Windows 98; Windows 95 and NT users aren't affected. (Windows 2000 users may be, although that will depend on the final release of the operating system.) Bubbleboy uses a technique that takes advantage of a security hole in Microsoft's Visual BASIC Scripting language, which is used in Microsoft Internet Explorer. It allows two potentially destructive ActiveX controls (called scriptlet.typelib and Eyedog) to run. If you use Outlook or Outlook Express with the program's preview pane open (the default setting), and you preview a message with a Bubbleboy-infected attachment, a script is automatically inserted in the Windows Start directory. The next time you start your PC, the script runs and sends infected files to all the names in your Outlook address book.
In addition, Bubbleboy changes Windows registry entries so that the registered owner of your PC becomes "Bubbleboy," and the registered organisation is "Vandelay Industries."
Fix it, but not with antivirus software
Because antivirus software can't change the settings in the Visual BASIC scripting language, antivirus updates, which normally catch the latest viruses, won't be able to stop Bubbleboy-type viruses, at least not until antivirus researchers figure out new techniques.
Meanwhile, there are some steps you can take.
In August, Microsoft posted a fix that blocks the problematic ActiveX controls. The ICSA's Thompson says, "It is absolutely essential that users apply Microsoft's patch, and plug the hole. The problem is that this will take time, so people need to jump on it." Although only Windows 98 users are affected at present, Microsoft recommends that all users of Outlook Express, no matter what operating system they use, should install the patch.
Another step is to uninstall the Windows scripting host. Although doing so can affect the browser display from some Web sites, the effects are usually minimal. To uninstall, go to Start, Settings, Control Panel, and double-click the Add/Remove Program icon. Click the Windows Setup Tab, choose Accessories, and click the Details button. Scroll down the list until you see the "Windows Scripting Host" entry and uncheck the box. Click the OK button.
Finally, though it's highly unlikely, if you suspect that your PC has been infected by Bubbleboy, immediately go to the directory Windows/Start Menu/Programs/StartUp before you shut down your computer and look for a file named UPDATE.HTA. If it's there, delete it to remove the virus. (Doing so won't restore the user and organisation names in the registry, but editing the registry is beyond our scope here.) Blocking attachmentsWhile the game of cat and mouse between virus writers and virus researchers continues unabated, the Bubbleboy threat makes it a whole new ballgame.
Some antivirus experts say that Bubbleboy may force some corporations, if not individual users, to go to the extreme measure of blocking all attachments from user e-mail. (Some antivirus software designed for networks can do this already, and it may appear in packages designed for stand-alone PCs.) Meanwhile, although Bubbleboy has changed the rules, experts underline that basic caution, such as deleting e-mail with attachments from unknown senders (and using a regularly updated antivirus package), can still eliminate the vast majority of threats.
And as a sound bite from an earlier TV series (Hill Street Blues) advises, "Be careful out there!"