VBS.BubbleBoy

SUMMARY

VBS.BubbleBoy is a worm that works under Windows 98 and Windows 2000. The worm also works under Windows 95, but only if the Windows Scripting Host is installed. The worm only works with the English and Spanish versions of these operating systems, and does not work under Windows NT.

The computer must use Microsoft Outlook (or Express) with Internet Explorer 5 in order for the worm to propagate.

The worm utilizes a known security hole in Microsoft Outlook/IE5 to insert a script file, Update.hta, when the email is viewed. It is not necessary to detach and run an attachment.

Update.hta is placed in the StartUp folder. Therefore, the infection routine is not executed until the next time you start your computer. Update.hta is a script file that uses MS Outlook to send the worm email message to everyone in the MS Outlook address book.

Patching the known security hole in Microsoft Outlook/IE5, prevents the worm from propagating. For further information regarding the security hole, please read the following Microsoft article:

http://www.microsoft.com/technet/security/bulletin/fq99-032.asp

Microsoft has provided a patch to fix this problem at http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

The worm will not propagate if IE5 Internet security settings have been set to "High."

Protection

• Virus Definitions (LiveUpdate™ Weekly) November 15, 1999
• Virus Definitions (Intelligent Updater) November 15, 1999

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low

TECHNICAL DETAILS

If the security hole has not been patched, VBS.BubbleBoy inserts the Update.hta file as soon as the email is opened. The email contains the text

Subject: BubbleBoy is back!

The message body contains the text

The BubbleBoy incident, pictures and sounds
http:/ /www.towns.com/dorms/tom/bblboy.htm

This is how the message appears:



The body of the message is created with HTML using VBScript, which is not normally visible. The VBScript is executed without prompting the user (due to the security hole). The script creates and inserts a file named Update.hta into C:WindowsStart MenuProgramsStartUp or C:WindowsMenä InicioProgramasInicio.

If neither of these directories exists, the worm fails. Update.hta also contains VBScript, which performs the mass-mailing routine. There is no attachment to the message; the worm is fully contained within the nonvisible VBScript inside of the message body. The worm automatically executes the next time Windows starts and performs the following steps:

1. The worm changes the registered owner to BubbleBoy by modifying the following registry key:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
   CurrentVersionRegisteredOwner
   
2. The worm changes the registered organization to Vandelay Industries by modifying the following registry key:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
   CurrentVersionRegisteredOrganization
   
3. The worm checks to see whether the registry key
   
   HKEY_LOCAL_MACHINESoftwareOUTLOOK.BubbleBoy
   
   has been set to
   
   OUTLOOK.BubbleBoy 1.0 by Zulu
   
   If the registry has already been set, then the worm will not continue to perform its infection routine. This causes the worm to perform its mass mailing routine only once.
   
4. Using MAPI, the worm composes an email message to everyone in the MS Outlook address book. The subject and body of the message are described above. No record of the sent messages appears in MS Outlook.
   
5. Next, the worm sets the registry key
   
   HKEY_LOCAL_MACHINESoftwareOUTLOOK.BubbleBoy =OUTLOOK.Bubbleboy 1.0 by Zulu
   
   to mark the execution of its worm routine.
   
6. Finally, the worm displays a window with the following text:
   
   System error, delete "UPDATE.HTA" from the startup folder to solve this problem

Variant notes

The B variant (also detected as VBS.BubbleBoy) is encrypted. The registry entry to mark the worm routine execution is

HKEY_LOCAL_MACHINESoftwareOUTLOOK.BubbleBoy =OUTLOOK.Bubbleboy 1.1 by Zulu

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove this worm:

1. Delete the following files:
   
   C:WindowsStart MenuProgramsStartUpUpdate.hta
   C:WindowsMenä InicioProgramasInicioUpdate.
   
2. Restore the following registry keys to their proper values:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
   CurrentVersionRegisteredOwner
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
   CurrentVersionRegisteredOrganization
   
3. Remove the following registry key:
   
   HKLMSoftwareOUTLOOK.BubbleBoy
   
   NOTE: Not removing this key will actually prevent the worm from propagating again.
   

Prevention Information

Microsoft has provided a patch to prevent the worm from propagating by viewing an infected email in Outlook. Security Response recommends downloading this patch from the following Web site:

http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

Also, Symantec Security Response recommends monitoring the following Web site for any Microsoft security updates:

http://www.microsoft.com/security/default.asp