If the security hole has not been patched, VBS.BubbleBoy inserts the Update.hta file as soon as the email is opened. The email contains the text
Subject: BubbleBoy is back!
The message body contains the text
The BubbleBoy incident, pictures and sounds
This is how the message appears:
The body of the message is created with HTML using VBScript, which is not normally visible. The VBScript is executed without prompting the user (due to the security hole). The script creates and inserts a file named Update.hta into C:\Windows\Start Menu\Programs\StartUp or C:\Windows\Menú Inicio\Programas\Inicio.
If neither of these directories exists, the worm fails. Update.hta also contains VBScript, which performs the mass-mailing routine. There is no attachment to the message; the worm is fully contained within the nonvisible VBScript inside of the message body. The worm automatically executes the next time Windows starts and performs the following steps:
- The worm changes the registered owner to BubbleBoy by modifying the following registry key:
- The worm changes the registered organization to Vandelay Industries by modifying the following registry key:
- The worm checks to see whether the registry key
has been set to
OUTLOOK.BubbleBoy 1.0 by Zulu
If the registry has already been set, then the worm will not continue to perform its infection routine. This causes the worm to perform its mass mailing routine only once.
- Using MAPI, the worm composes an email message to everyone in the MS Outlook address book. The subject and body of the message are described above. No record of the sent messages appears in MS Outlook.
- Next, the worm sets the registry key
HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\ =OUTLOOK.Bubbleboy 1.0 by Zulu
to mark the execution of its worm routine.
- Finally, the worm displays a window with the following text:
System error, delete "UPDATE.HTA" from the startup folder to solve this problem
The B variant (also detected as VBS.BubbleBoy) is encrypted. The registry entry to mark the worm routine execution is
HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\ =OUTLOOK.Bubbleboy 1.1 by Zulu
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":