Bubbleboy worries the experts

It may be the most overexposed computer virus threat that never was -- yet.

Bubbleboy, the newest wrinkle in PC viruses unveiled last week, may hold the title for the most famed virus ever. But as far as is known, it hasn't infected a single PC.

Named after a character in an episode of the Seinfeld television series, Bubbleboy was sent anonymously to major antivirus research labs last Monday. Virus experts believe it originated in Argentina, and that it was sent to researchers as a "proof of concept" from a proud virus writer who wanted to show what he (most virus writers are male) had discovered. It has not gone into the "wild", the term virus researchers use when a virus becomes widespread among users.

Beyond the media hype, Bubbleboy (technically a worm rather than a virus) has the experts worried for two major reasons.

It's the first malicious software that arrives as an e-mail attachment and can infect a PC without the user actually having to open the attachment. And more worrisome still, updating antivirus software won't stop it.

"Users should worry, but not about Bubbleboy -- it's all the clones and variations that will come that are the worry," says Roger Thompson, technical director of malicious code research for the ICSA (an independent organisation that certifies antivirus and security software).

And now that the word is out, experts predict the technique will be used by copycat virus writers to write new viruses that could become widespread. And unlike Bubbleboy, which doesn't do anything harmful other than spread itself, the next generations could include malicious payloads.

It's all in your Outlook

Bubbleboy (and the variants expected to come) can only infect PCs running Microsoft Outlook or Outlook Express 5.0. Users of other e-mail programs can rest easy, at least for now. And it only affects PCs running Windows 98; Windows 95 and NT users aren't affected. (Windows 2000 users may be, although that will depend on the final release of the operating system.) Bubbleboy uses a technique that takes advantage of a security hole in Microsoft's Visual BASIC Scripting language, which is used in Microsoft Internet Explorer. It allows two potentially destructive ActiveX controls (called scriptlet.typelib and Eyedog) to run. If you use Outlook or Outlook Express with the program's preview pane open (the default setting), and you preview a message with a Bubbleboy-infected attachment, a script is automatically inserted in the Windows Start directory. The next time you start your PC, the script runs and sends infected files to all the names in your Outlook address book.

In addition, Bubbleboy changes Windows registry entries so that the registered owner of your PC becomes "Bubbleboy," and the registered organisation is "Vandelay Industries."

Fix it, but not with antivirus software

Because antivirus software can't change the settings in the Visual BASIC scripting language, antivirus updates, which normally catch the latest viruses, won't be able to stop Bubbleboy-type viruses, at least not until antivirus researchers figure out new techniques.

Meanwhile, there are some steps you can take.

In August, Microsoft posted a fix that blocks the problematic ActiveX controls. The ICSA's Thompson says, "It is absolutely essential that users apply Microsoft's patch, and plug the hole. The problem is that this will take time, so people need to jump on it." Although only Windows 98 users are affected at present, Microsoft recommends that all users of Outlook Express, no matter what operating system they use, should install the patch.

Another step is to uninstall the Windows scripting host. Although doing so can affect the browser display from some Web sites, the effects are usually minimal. To uninstall, go to Start, Settings, Control Panel, and double-click the Add/Remove Program icon. Click the Windows Setup Tab, choose Accessories, and click the Details button. Scroll down the list until you see the "Windows Scripting Host" entry and uncheck the box. Click the OK button.

Finally, though it's highly unlikely, if you suspect that your PC has been infected by Bubbleboy, immediately go to the directory Windows/Start Menu/Programs/StartUp before you shut down your computer and look for a file named UPDATE.HTA. If it's there, delete it to remove the virus. (Doing so won't restore the user and organisation names in the registry, but editing the registry is beyond our scope here.) Blocking attachmentsWhile the game of cat and mouse between virus writers and virus researchers continues unabated, the Bubbleboy threat makes it a whole new ballgame.

Some antivirus experts say that Bubbleboy may force some corporations, if not individual users, to go to the extreme measure of blocking all attachments from user e-mail. (Some antivirus software designed for networks can do this already, and it may appear in packages designed for stand-alone PCs.) Meanwhile, although Bubbleboy has changed the rules, experts underline that basic caution, such as deleting e-mail with attachments from unknown senders (and using a regularly updated antivirus package), can still eliminate the vast majority of threats.

And as a sound bite from an earlier TV series (Hill Street Blues) advises, "Be careful out there!"

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stan Miastkowski

PC World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?