Bubbleboy worries the experts

It may be the most overexposed computer virus threat that never was -- yet.

Bubbleboy, the newest wrinkle in PC viruses unveiled last week, may hold the title for the most famed virus ever. But as far as is known, it hasn't infected a single PC.

Named after a character in an episode of the Seinfeld television series, Bubbleboy was sent anonymously to major antivirus research labs last Monday. Virus experts believe it originated in Argentina, and that it was sent to researchers as a "proof of concept" from a proud virus writer who wanted to show what he (most virus writers are male) had discovered. It has not gone into the "wild", the term virus researchers use when a virus becomes widespread among users.

Beyond the media hype, Bubbleboy (technically a worm rather than a virus) has the experts worried for two major reasons.

It's the first malicious software that arrives as an e-mail attachment and can infect a PC without the user actually having to open the attachment. And more worrisome still, updating antivirus software won't stop it.

"Users should worry, but not about Bubbleboy -- it's all the clones and variations that will come that are the worry," says Roger Thompson, technical director of malicious code research for the ICSA (an independent organisation that certifies antivirus and security software).

And now that the word is out, experts predict the technique will be used by copycat virus writers to write new viruses that could become widespread. And unlike Bubbleboy, which doesn't do anything harmful other than spread itself, the next generations could include malicious payloads.

It's all in your Outlook

Bubbleboy (and the variants expected to come) can only infect PCs running Microsoft Outlook or Outlook Express 5.0. Users of other e-mail programs can rest easy, at least for now. And it only affects PCs running Windows 98; Windows 95 and NT users aren't affected. (Windows 2000 users may be, although that will depend on the final release of the operating system.) Bubbleboy uses a technique that takes advantage of a security hole in Microsoft's Visual BASIC Scripting language, which is used in Microsoft Internet Explorer. It allows two potentially destructive ActiveX controls (called scriptlet.typelib and Eyedog) to run. If you use Outlook or Outlook Express with the program's preview pane open (the default setting), and you preview a message with a Bubbleboy-infected attachment, a script is automatically inserted in the Windows Start directory. The next time you start your PC, the script runs and sends infected files to all the names in your Outlook address book.

In addition, Bubbleboy changes Windows registry entries so that the registered owner of your PC becomes "Bubbleboy," and the registered organisation is "Vandelay Industries."

Fix it, but not with antivirus software

Because antivirus software can't change the settings in the Visual BASIC scripting language, antivirus updates, which normally catch the latest viruses, won't be able to stop Bubbleboy-type viruses, at least not until antivirus researchers figure out new techniques.

Meanwhile, there are some steps you can take.

In August, Microsoft posted a fix that blocks the problematic ActiveX controls. The ICSA's Thompson says, "It is absolutely essential that users apply Microsoft's patch, and plug the hole. The problem is that this will take time, so people need to jump on it." Although only Windows 98 users are affected at present, Microsoft recommends that all users of Outlook Express, no matter what operating system they use, should install the patch.

Another step is to uninstall the Windows scripting host. Although doing so can affect the browser display from some Web sites, the effects are usually minimal. To uninstall, go to Start, Settings, Control Panel, and double-click the Add/Remove Program icon. Click the Windows Setup Tab, choose Accessories, and click the Details button. Scroll down the list until you see the "Windows Scripting Host" entry and uncheck the box. Click the OK button.

Finally, though it's highly unlikely, if you suspect that your PC has been infected by Bubbleboy, immediately go to the directory Windows/Start Menu/Programs/StartUp before you shut down your computer and look for a file named UPDATE.HTA. If it's there, delete it to remove the virus. (Doing so won't restore the user and organisation names in the registry, but editing the registry is beyond our scope here.) Blocking attachmentsWhile the game of cat and mouse between virus writers and virus researchers continues unabated, the Bubbleboy threat makes it a whole new ballgame.

Some antivirus experts say that Bubbleboy may force some corporations, if not individual users, to go to the extreme measure of blocking all attachments from user e-mail. (Some antivirus software designed for networks can do this already, and it may appear in packages designed for stand-alone PCs.) Meanwhile, although Bubbleboy has changed the rules, experts underline that basic caution, such as deleting e-mail with attachments from unknown senders (and using a regularly updated antivirus package), can still eliminate the vast majority of threats.

And as a sound bite from an earlier TV series (Hill Street Blues) advises, "Be careful out there!"

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stan Miastkowski

PC World
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?