Bubbleboy worm

 Virus Information - Bubbleboy worm:

BubbleBoy is a worm that spreads using email. It is the first email worm that is able to replicate without the user requiring to open/run any mail attachments. In case of BubbleBoy, the worm activates the moment the email is opened in Outlook. BubbleBoy infects Windows 98 and Windows 2000 computers. It will also work under Windows 95 if Windows Scripting Host is installed. On all these platforms, BubbleBoy will function only if Internet Explorer 5.0 is also installed. BubbleBoy does not run under Windows NT. The worm will not be able to work when the Internet Zone security settings of IE 5 is set to "High" level.

The worm comes as an email. The subject of the email will be "BubbleBoy is back". The worm code is in the message itself and not as an attachment. When the email message is opened, the worm using a security loophole creates a file called "UPDATE.HTA". The worm tries to put this files in the "C:\WINDOWS\START MENU\PROGRAMS\STARTUP" and "C:\WINDOWS\MENU INICIO\PROGRAMAS\INICIO" directories. The presence of the UPDATE.HTA file in the startup directory makes the file to be executed without any security controls the next time the computer is re-started. As the startup directory names are hardcoded, the worm infects only the English and Spanish versions of Windows.

When the UPDATE.HTA file is run, it creates a message containing its code and sends the message to everyone in the address book. The worm sends the message only once. The worm also makes some changes to the registry entries. Finallly the worm displays the following message:

"System error, delete "UPDATE.HTA" from the startup folder to solve this problem."

A patch from Microsoft to fix the loophole used by BubbleBoy is available at: