Bubbleboy worries the experts

It may be the most overexposed computer virus threat that never was -- yet.

Bubbleboy, the newest wrinkle in PC viruses unveiled last week, may hold the title for the most famed virus ever. But as far as is known, it hasn't infected a single PC.

Named after a character in an episode of the Seinfeld television series, Bubbleboy was sent anonymously to major antivirus research labs last Monday. Virus experts believe it originated in Argentina, and that it was sent to researchers as a "proof of concept" from a proud virus writer who wanted to show what he (most virus writers are male) had discovered. It has not gone into the "wild", the term virus researchers use when a virus becomes widespread among users.

Beyond the media hype, Bubbleboy (technically a worm rather than a virus) has the experts worried for two major reasons.

It's the first malicious software that arrives as an e-mail attachment and can infect a PC without the user actually having to open the attachment. And more worrisome still, updating antivirus software won't stop it.

"Users should worry, but not about Bubbleboy -- it's all the clones and variations that will come that are the worry," says Roger Thompson, technical director of malicious code research for the ICSA (an independent organisation that certifies antivirus and security software).

And now that the word is out, experts predict the technique will be used by copycat virus writers to write new viruses that could become widespread. And unlike Bubbleboy, which doesn't do anything harmful other than spread itself, the next generations could include malicious payloads.

It's all in your Outlook

Bubbleboy (and the variants expected to come) can only infect PCs running Microsoft Outlook or Outlook Express 5.0. Users of other e-mail programs can rest easy, at least for now. And it only affects PCs running Windows 98; Windows 95 and NT users aren't affected. (Windows 2000 users may be, although that will depend on the final release of the operating system.) Bubbleboy uses a technique that takes advantage of a security hole in Microsoft's Visual BASIC Scripting language, which is used in Microsoft Internet Explorer. It allows two potentially destructive ActiveX controls (called scriptlet.typelib and Eyedog) to run. If you use Outlook or Outlook Express with the program's preview pane open (the default setting), and you preview a message with a Bubbleboy-infected attachment, a script is automatically inserted in the Windows Start directory. The next time you start your PC, the script runs and sends infected files to all the names in your Outlook address book.

In addition, Bubbleboy changes Windows registry entries so that the registered owner of your PC becomes "Bubbleboy," and the registered organisation is "Vandelay Industries."

Fix it, but not with antivirus software

Because antivirus software can't change the settings in the Visual BASIC scripting language, antivirus updates, which normally catch the latest viruses, won't be able to stop Bubbleboy-type viruses, at least not until antivirus researchers figure out new techniques.

Meanwhile, there are some steps you can take.

In August, Microsoft posted a fix that blocks the problematic ActiveX controls. The ICSA's Thompson says, "It is absolutely essential that users apply Microsoft's patch, and plug the hole. The problem is that this will take time, so people need to jump on it." Although only Windows 98 users are affected at present, Microsoft recommends that all users of Outlook Express, no matter what operating system they use, should install the patch.

Another step is to uninstall the Windows scripting host. Although doing so can affect the browser display from some Web sites, the effects are usually minimal. To uninstall, go to Start, Settings, Control Panel, and double-click the Add/Remove Program icon. Click the Windows Setup Tab, choose Accessories, and click the Details button. Scroll down the list until you see the "Windows Scripting Host" entry and uncheck the box. Click the OK button.

Finally, though it's highly unlikely, if you suspect that your PC has been infected by Bubbleboy, immediately go to the directory Windows/Start Menu/Programs/StartUp before you shut down your computer and look for a file named UPDATE.HTA. If it's there, delete it to remove the virus. (Doing so won't restore the user and organisation names in the registry, but editing the registry is beyond our scope here.) Blocking attachmentsWhile the game of cat and mouse between virus writers and virus researchers continues unabated, the Bubbleboy threat makes it a whole new ballgame.

Some antivirus experts say that Bubbleboy may force some corporations, if not individual users, to go to the extreme measure of blocking all attachments from user e-mail. (Some antivirus software designed for networks can do this already, and it may appear in packages designed for stand-alone PCs.) Meanwhile, although Bubbleboy has changed the rules, experts underline that basic caution, such as deleting e-mail with attachments from unknown senders (and using a regularly updated antivirus package), can still eliminate the vast majority of threats.

And as a sound bite from an earlier TV series (Hill Street Blues) advises, "Be careful out there!"

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stan Miastkowski

PC World
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?