VBS/Bubbleboy Email Worm Appears

A new threat dubbed VBS/Bubbleboy has appeared as the first in the next generation of email worms. This new worm is significantly different from earlier email worms, such as Melissa, that appeared as executable files attached to email messages.

C. Thi Nguyen

November 9, 1999

2 Min Read
ITPro Today logo in a gray background | ITPro Today

A new threat dubbed VBS/Bubbleboy has appeared as the first in the next generation of email worms. This new worm is significantly different from earlier email worms, such as Melissa, that appeared as executable files attached to email messages. For the previous worms to infect a system, the user had to run an attached executable file. Bubbleboy, however, is not a separate executable—it simply infects the system as soon as the user opens the email message.The phrase “opening the email” has broad interpretations. For example, the Bubbleboy worm will infect the system if a user simply views the email message using the Outlook Express Preview Pane. However, the worm won't infect the system if a user views the email message using the Outlook Preview Pane. McAfee's Web site warns in bold text that “This is a VERY significant innovation!” The text goes on to say that “Virus researchers have long assured the public that it is not possible to contract a virus or worm merely by opening and reading an email message. This is no longer true, and VBS/Bubbleboy marks the beginning of a more dangerous computing environment.”In its present incarnation, Bubbleboy is not particularly dangerous. It’s simply a replication threat that arrives as an email message titled “Bubbleboy is back!” and creates a file called update.hta. The next time the user boots the computer, the worm sends copies of itself to every email address in every address book in the local copy of Outlook.The worm also alters the Registry, changing the owner name to Bubbleboy and the organization name to Vandelay Industries. Bubbleboy works on Windows 98, Windows 2000 (Win2K), and other Windows OSs with Windows Scripting Host (WSH) installed. Although the present payload is reasonably innocuous—Bubbleboy doesn’t delete files or format the hard disk—changing payloads is easy for any virus programmer. What is significant is the payload delivery system; by infecting a system without the user running an executable, this worm is significantly harder to stop than other versions. This new delivery system promises a faster, harder-to-control spread. Since its release, Bubbleboy has appeared on underground virus-writer sites. The virus-writing community will almost certainly seize on Bubbleboy’s delivery system and write more destructive versions. Microsoft is offering a patch, available on its Web site.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like