First published: 11th November 1999Data Fellows warns the public of potential future threat
Espoo, Finland - November 10, 1999 - Data Fellows Corporation, a leading provider of Internet security solutions, today announced the first virus found which activates by opening an e-mail message. VBS/Bubbleboy is the very first worm that is able to infect without opening an attachment. The worm will execute immediately after the user has opened the message in Microsoft Outlook.
As of Tuesday afternoon, Data Fellows had received no reports of this virus being in the wild, and it is not considered a big threat. However, Data Fellows wishes to warn the public of this new infection mechanism. The worm propagates as a Microsoft Outlook message. This message does not have a separate attachment, but the worm code is included in the message itself. However, if active scripting is disabled, the worm will not work. The worm uses ActiveX features to open Microsoft Outlook and uses it to send itself to all recipients in all address books, like the Melissa virus.
The message contains the following:
From: (name of infected user) Subject: BubbleBoy is back! Body: The BubbleBoy incident, pictures and sounds
The reference to Bubbleboy and the above link are references to a character in an episode of the TV show "Seinfeld".
The receiver of the e-mail becomes infected and spreads the worm without opening any attachment. The message does not contain any attachments. The mass mailing is executed only once per infected machine.
After the mass mailing, the worm will display a message box with the following text:
System error, delete "UPDATE.HTA" from the startup folder to solve the problem.
Bubbleboy is only able to spread under Microsoft Outlook 98, Microsoft Outlook 2000 and Microsoft Outlook Express that comes with Internet Explorer 5. It does not replicate under Windows NT. Bubbleboy uses a known security hole in Microsoft Outlook to create the local HTA file.
Microsoft has more information on this problem available at: http://www.microsoft.com/Security/Bulletins/MS99-032faq.asp
They also have a patch to fix this problem at: http://www.microsoft.com/security/Bulletins/ms99-032.asp