VBS.BubbleBoy

VBS.BubbleBoy is a worm that works under Windows 98 and Windows 2000. The worm also works under Windows 95, but only if the Windows Scripting Host is installed. The worm only works with the English and Spanish versions of these operating systems, and does not work under Windows NT.

The computer must use Microsoft Outlook (or Express) with Internet Explorer 5 in order for the worm to propagate.

The worm utilizes a known security hole in Microsoft Outlook/IE5 to insert a script file, Update.hta, when the email is viewed. It is not necessary to detach and run an attachment.

Update.hta is placed in the StartUp folder. Therefore, the infection routine is not executed until the next time you start your computer. Update.hta is a script file that uses MS Outlook to send the worm email message to everyone in the MS Outlook address book.

Patching the known security hole in Microsoft Outlook/IE5, prevents the worm from propagating. For further information regarding the security hole, please read the following Microsoft article:

http://www.microsoft.com/technet/security/bulletin/fq99-032.asp

Microsoft has provided a patch to fix this problem at http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

The worm will not propagate if IE5 Internet security settings have been set to "High."

Protection

• Initial Rapid Release version November 15, 1999
• Latest Rapid Release version March 3, 2008 revision 035
• Initial Daily Certified version November 15, 1999
• Latest Daily Certified version June 17, 2008 revision 017
• Initial Weekly Certified release date November 15, 1999

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low