'BubbleBoy' virus breaks new ground
An anonymous virus writer who is apparently an avid "Seinfeld" fan has created a virus -- actually a self-replicating worm -- that can spread itself through a user's Microsoft Outlook or Outlook Express client.
The worm, called "BubbleBoy" in an apparent reference to a "Seinfeld" episode, is unlike anything that anti-virus software vendors have seen to this point.
It doesn't rely on an attachment. Instead, all a user has to do is open an e-mail. An embedded Visual Basic Script command attaches itself to the Outlook address book and mails the e-mail to everyone in the address list.
"Historically, anti-virus vendors have always told users, 'If you don't open the attachment, you won't have a problem,' " said Sal Viveros, marketing manager for Total Virus Defense at Network Associates. "This changes that."
For Outlook Express users, it's particularly troubling. Simply using the preview function of Outlook Express will allow the worm to replicate.
Still, BubbleBoy is considered low risk by most anti-virus software vendors, including Network Associates, Symantec, Computer Associates and Trend Micro because it hasn't been reported by any customers.
Besides being a nuisance, it doesn't carry with it any code that could damage someone's computer. Someone thought to be the virus writer, most likely in an effort to gain attention, sent BubbleBoy to anti-virus companies and posted it on several Web sites Monday night.
Anti-virus vendors worry that this could be a harbinger of some very nasty things to come. Last month, researchers at the Virus Bulletin conference in Vancouver speculated that something like BubbleBoy could be created.
And just a few days ago, a posting on several security sites explained how it could be done, said Dan Schrader, vice president of new technology at Trend Micro.
It wouldn't be difficult, Schrader said, for virus writers to release something like BubbleBoy into the wild and attach a malicious payload to the VBS program.
"It's interesting. And it's scary. And it's quite powerful," he said. But, Schrader added, it isn't in the wild quite yet, and most anti-virus vendors should have it added to their virus definition lists by the end of the day.
BubbleBoy requires Internet Explorer 5.0 with Windows Scripting Host installed, which is standard on Windows 98 and Windows 2000. It doesn't run on Windows NT or on the default settings of Windows 95. Setting IE 5.0 to its maximum security setting would prevent it from doing anything.
Users won't know they have been infected until the initial e-mail blast. After that, the worm changes the registered owner to BubbleBoy and the organization to "Vandelay Industries."
The body of the message simply says, "The BubbleBoy incident, pictures and sounds." Vandelay Industries, like the BubbleBoy whose bubble burst during a tense game of Trivial Pursuit, was a long-running joke on "Seinfeld." George, Jerry's often-unemployed sidekick, was fond of saying he worked for the fictitious Vandelay Industries.
The BubbleBoy worm may be taking advantage of a Microsoft security hole for which there is a patch. Symantec anti-virus researchers in Santa Monica are trying to determine if BubbleBoy is taking advantage of an IE 5.0 security flaw discovered in August.
In a security bulletin dated August 31, Microsoft posted a patch that eliminates the security vulnerabilities in two Active X controls of IE 5.0.
The net effect of the vulnerabilities, according to Microsoft, was that a Web page could take control of a user's computer without the user knowing it. The patch is available at windowsupdate.microsoft.com.
Researchers add that BubbleBoy is further proof that, as anti-virus technology improves, virus writers are getting smarter, particularly when it comes to VBS.
"BubbleBoy in of itself is not very dangerous," said Narender Mangalam, director of security products at Computer Associates. "The reason we are all very interested in this is because it is a proof of concept."
Take me to the Melissa Virus special.