1. /
  2. Security Response/
  3. VBS.BubbleBoy

VBS.BubbleBoy - Removal

Risk Level 1: Very Low

Discovered:
November 9, 1999
Updated:
February 13, 2007 11:33:09 AM
Also Known As:
VBS/BubbleBoy@MM [McAfee], I-Worm.BubbleBoy [AVP], VBS_BUBBLEBOY [Trend], VBS/BubbleBoy.Worm [CA], VBS/BubbleBoy [Panda], VBS/BubbleBoy-A [Sophos]
Type:
Worm, Virus
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References:
CVE-1999-0668

To remove this worm:
  1. Delete the following files:

    C:\Windows\Start Menu\Programs\StartUp\Update.hta
    C:\Windows\Menú Inicio\Programas\Inicio\Update.
  2. Restore the following registry keys to their proper values:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RegisteredOwner
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RegisteredOrganization
  3. Remove the following registry key:

    HKLM\Software\OUTLOOK.BubbleBoy\

    NOTE: Not removing this key will actually prevent the worm from propagating again.
Prevention Information

Microsoft has provided a patch to prevent the worm from propagating by viewing an infected email in Outlook. Security Response recommends downloading this patch from the following Web site:

http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

Also, Symantec Security Response recommends monitoring the following Web site for any Microsoft security updates:

http://www.microsoft.com/security/default.asp

Writeup By: Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver