November 11, 1999 Web posted at: 10:25 a.m. EST (1525 GMT) by Matthew Nelson

From...

(IDG) -- While many users have learned the lessons of the past years' virus infections and now refrain from opening strange e-mail attachments, that practice may no longer keep them safe, following the release of the "proof-of-concept" worm called BubbleBoy.

The new worm, which is rife with references to TV's Seinfeld, proves that you no longer have to open an attachment to infect your system with a virus, because merely opening the e-mail message carrying BubbleBoy can infect a machine.

The BubbleBoy name has apparently been taken from the show Seinfeld, as the worm also makes reference to "Vandelay Industries," a fictional company for which character George Costanza worked. Additionally, the names of both the series' characters and actors are used as names of "variables" within the worm's code, according to security company Trend Micro.

"The code is riddled with Seinfeld references. Every variable has been named after Seinfeld characters," said Dan Schrader, vice president of new technology, for Trend Micro. "They even use references to Soup Nazi, Kramer -- an amazing number of characters are in this thing."

While only a "proof-of-concept" worm, and not "in the wild" infecting user systems, the fact that the BubbleBoy worm is activated merely by opening an e-mail message represents a new danger to e-mail users.

"It's the first of it's type, because simply activating the e-mail that is infected will launch the virus," said Chris Williams, senior manager at NAI Labs, the research arm of Network Associates, in Santa Clara, Calif. "It totally bypasses the previous philosophy of 'don't open that attachment if you don't know what it is.'"

Once activated, BubbleBoy will send itself to every contact in every Outlook or Outlook Express e-mail address book, but the worm itself does not carry a dangerous payload. BubbleBoy is a worm and not a virus because it is network aware, and it propagates itself using the same mass-mailing feature as the notorious Melissa virus.

Users will not immediately realize they have been infected, as there are no effects to a user's system other than the change - via the registry - of the system's registered owner and organization to "BubbleBoy" and "Vandelay Industries" respectively.

The actual e-mail message will come to a user's system with the "from" line referring to the person who unintentionally sent it and the subject line reading, "BubbleBoy is back!" The body of the message will contain a black screen and the text, "The BubbleBoy incident, pictures and sounds," along with an invalid URL ending in "bblboy.htm."

To infect a system, the Internet worm requires Internet Explorer 5 (IE5) with Windows Scripting Host installed, which is standard in Windows 98 and Windows 2000 installations. It does not seem to run on Windows NT, at this time.

BubbleBoy will infect users running Microsoft Outlook and Outlook Express. In Outlook, this worm requires that you open the e-mail message, and will not run if the message is viewed through the "Preview Pane." In Outlook Express, the worm activates even if the infected e-mail message is only viewed through the "Preview Pane." In all cases, if the security settings for the Internet Zone in IE5 are set to High, the worm will not be executed.

After infecting a system, BubbleBoy will set a registry key to indicate that the e-mail distribution has occurred, and subsequent re-infections of BubbleBoy will not spread again from the same machine.

MORE COMPUTING INTELLIGENCE

IDG.net home page

InfoWorld home page

InfoWorld forums home page

InfoWorld's Security Corner--Everything you need to know about viruses, hacks and more!

E-BusinessWorld

Reviews & in-depth info at IDG.net

IDG.net's personal news page

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for IT leaders

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

The actual danger from BubbleBoy is low, as it does not include a dangerous payload, and security vendors stress that no one has actually been infected with the worm as of yet, but the danger of so many infected e-mail messages launching from an e-mail system at once could be devastating enough.

"If it were to really kick in, it could get worse than the fury of Melissa," said Vincent Gullotto, director of the Anti-Virus Emergency Response Team for NAI. "Because it's everybody in every single address book that you have."

BubbleBoy was sent anonymously to several antivirus vendors and organizations, possibly by the worm writer, and has been posted to underground virus sites. Copycat viruses that utilize BubbleBoy techniques are almost a certainty.

"We fully expect this exploit to be utilized in the next year [by other viruses]," Gullotto said.

The first line of defense for users it to not open any e-mail messages with the subject line "BubbleBoy is back," and to set any filtering or content scanning systems to watch for and stop the same e-mailed subject line. Antivirus vendors are currently offering updated virus recognition files to identify the attack.

Security vendor Trend Micro has also confirmed that an already-available patch from Microsoft will protect systems using IE5, according to Trend Micro's Schrader.

Because BubbleBoy is written in VB Script, it uses Microsoft Active X control mobile code to infect systems.

"This is using an Active X control that is marked as being safe to run," Schrader said. "It seems to use these Active X controls that are incorrectly marked for scripting. That's why you have to have the VB scripting enabled to let it work."

Schrader recommends that users update their security patches in IE 5 directly from Microsoft.

"Go to [the] 'Tools' [menu] and 'Windows Update.' It will take you to a Microsoft page that will install all the latest security patches," Schrader said. "There have been quite a number of security patches."

Security vendors have also found that if the worm is discovered before it infects a machine, it can be removed before it spreads the damage further.

BubbleBoy, upon infection, will leave a new file, Update.hta, in the C:\Windows\Start Menu\Programs\Startup directory. When an infected system reboots, the worm will then send itself to the names in the address book. Before restarting a computer however, it is possible to delete Update.hta, along with the original message, to halt the infection before it can spread.

Beyond the danger of a new and easier method of infection represented by BubbleBoy, there also exists the hassle of investigating virus hoaxes that previously could have been dismissed out of hand. Hoaxes, which are often distributed by well-meaning e-mail users to friends and colleagues, often warn of "not opening an e-mail message because it contains a virus." Now that may be true, according to Narender Mangalam, director of security strategies, for Computer Associates, in Islandia, N.Y.

"Now we are not going to be able to ignore 'don't open this e-mail'," said Mangalam. "Now I'm going to have to investigate every single hoax. That affects the response time because we are going to have to look at all of these things."

Nevertheless, BubbleBoy proves what security experts have been worried about for years, that a virus or worm can infect a system with as little as opening an e-mail message.

"The concept is quite scary," said Mangalam.

Matthew Nelson is an InfoWorld senior writer.