Bubbleboy | |
---|---|
Type | Email worm |
Creator | Zulu |
Date Discovered | 1999.11.09 |
Place of Origin | Argentina |
Source Language | Visual Basic |
Platform | Visual Basic |
File Type(s) | .vbs |
Infection Length | 12,806 bytes |
Reported Costs |
Bubbleboy is the first preview-pane-infecting email worm. It references a character in the "Seinfeld" television program.
Behavior
Bubbleboy arrive in an email message with the subject of "BubbleBoy is back!" and a body of white text on a black field saying "The BubbleBoy incident, pictures and sounds" and a now non-existent link.
The worm executes as soon as the message is viewed in the preview pane or as the message is opened. It creates the file UPDATE.HTA in the start menu's startup folder if the computer is running the English or Spanish versions of Windows. It stops running and does nothing more until the computer is restarted.
When the computer is restarted, UPDATE.HTA is executed. It changes the owner of the computer to "BubbleBoy" and the organization to "Vandelay Industries". It opens Outlook through ActiveX and mails itself to everyone in the address books. To ensure that it only emails itself once, The worm creates a registry key, HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy with a value set to "OUTLOOK.BubbleBoy 1.0 by Zulu" and will not mass mail if it finds this key. It then shows a message box telling the user to delete UPDATE.HTA from the startup folder.
Variants
Bubbleboy produced few variants worth noting. One variant is encrypted. Bubbleboy.C is intentionally destructive.
Bubbleboy.C
Bubbleboy.C comes in an email with the subject of "From Your Friend…" and a body of "Message From Your Friend… http://www.towns.com/dorms/tom/friends.htm". It marks the registry for the same purpose as the original but with a different name for the key (HKEY_LOCAL_MACHINE\Software\OUTLOOK.Friends) and marker (OUTLOOK.Friends 1.0 by Wh0). It also drops the file FONTS.VBS in the Windows folder. It will also try to send a copy of itself through IRC.
This version also carries some destructive payloads. It opens a hidden DOS session that attempts to delete all files in the current directory (usually Windows). It also drops a source file, UPDATE.SCR in the startup folder and compiles it with DEBUG. This file is intended to format the hard drive, but has a bug preventing this.
Origin
Bubbleboy was created by an Argentinian coder named Zulu. Zulu is also responsible for the Monopoly worm and also partly responsible for the prolific Stages worm.
Sources
Katrin Tocheva, Sami Rautiainen, Alexey Podresov. F-Secure Antivirus, F-Secure Virus Descriptions : Bubbleboy.
Eric Chien. Norton Antivirus, VBS.BubbleBoy.
Bruno Gerondi. ZDNet Latin America, 'Stages' scribe: 'I'm not fooling anybody'. 2000.06.22