1. Symantec/
  2. Security Response/
  3. VBS.BubbleBoy


Risk Level 1: Very Low

November 9, 1999
February 13, 2007 11:33:09 AM
Also Known As:
VBS/BubbleBoy@MM [McAfee], I-Worm.BubbleBoy [AVP], VBS_BUBBLEBOY [Trend], VBS/BubbleBoy.Worm [CA], VBS/BubbleBoy [Panda], VBS/BubbleBoy-A [Sophos]
Worm, Virus
Systems Affected:
CVE References:

VBS.BubbleBoy is a worm that works under Windows 98 and Windows 2000. The worm also works under Windows 95, but only if the Windows Scripting Host is installed. The worm only works with the English and Spanish versions of these operating systems, and does not work under Windows NT.

The computer must use Microsoft Outlook (or Express) with Internet Explorer 5 in order for the worm to propagate.

The worm utilizes a known security hole in Microsoft Outlook/IE5 to insert a script file, Update.hta, when the email is viewed. It is not necessary to detach and run an attachment.

Update.hta is placed in the StartUp folder. Therefore, the infection routine is not executed until the next time you start your computer. Update.hta is a script file that uses MS Outlook to send the worm email message to everyone in the MS Outlook address book.

Patching the known security hole in Microsoft Outlook/IE5, prevents the worm from propagating. For further information regarding the security hole, please read the following Microsoft article:


Microsoft has provided a patch to fix this problem at http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

The worm will not propagate if IE5 Internet security settings have been set to "High."

Antivirus Protection Dates

  • Initial Rapid Release version November 15, 1999
  • Latest Rapid Release version August 8, 2016 revision 023
  • Initial Daily Certified version November 15, 1999
  • Latest Daily Certified version August 9, 2016 revision 001
  • Initial Weekly Certified release date November 15, 1999
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube