Bubbleboy
Bubbleboy
Type Email worm
Creator Zulu
Date Discovered 1999.11.09
Place of Origin Argentina
Source Language Visual Basic
Platform Visual Basic
File Type(s) .vbs
Infection Length 12,806 bytes
Reported Costs

Bubbleboy is the first preview-pane-infecting email worm. It references a character in the "Seinfeld" television program.

Behavior

Bubbleboy arrive in an email message with the subject of "BubbleBoy is back!" and a body of white text on a black field saying "The BubbleBoy incident, pictures and sounds" and a now non-existent link.

The worm executes as soon as the message is viewed in the preview pane or as the message is opened. It creates the file UPDATE.HTA in the start menu's startup folder if the computer is running the English or Spanish versions of Windows. It stops running and does nothing more until the computer is restarted.

When the computer is restarted, UPDATE.HTA is executed. It changes the owner of the computer to "BubbleBoy" and the organization to "Vandelay Industries". It opens Outlook through ActiveX and mails itself to everyone in the address books. To ensure that it only emails itself once, The worm creates a registry key, HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy with a value set to "OUTLOOK.BubbleBoy 1.0 by Zulu" and will not mass mail if it finds this key. It then shows a message box telling the user to delete UPDATE.HTA from the startup folder.

Variants

Bubbleboy produced few variants worth noting. One variant is encrypted. Bubbleboy.C is intentionally destructive.

Bubbleboy.C

Bubbleboy.C comes in an email with the subject of "From Your Friend…" and a body of "Message From Your Friend… http://www.towns.com/dorms/tom/friends.htm". It marks the registry for the same purpose as the original but with a different name for the key (HKEY_LOCAL_MACHINE\Software\OUTLOOK.Friends) and marker (OUTLOOK.Friends 1.0 by Wh0). It also drops the file FONTS.VBS in the Windows folder. It will also try to send a copy of itself through IRC.

This version also carries some destructive payloads. It opens a hidden DOS session that attempts to delete all files in the current directory (usually Windows). It also drops a source file, UPDATE.SCR in the startup folder and compiles it with DEBUG. This file is intended to format the hard drive, but has a bug preventing this.

Origin

Bubbleboy was created by an Argentinian coder named Zulu. Zulu is also responsible for the Monopoly worm and also partly responsible for the prolific Stages worm.

Sources

Katrin Tocheva, Sami Rautiainen, Alexey Podresov. F-Secure Antivirus, F-Secure Virus Descriptions : Bubbleboy.

Eric Chien. Norton Antivirus, VBS.BubbleBoy.

Bruno Gerondi. ZDNet Latin America, 'Stages' scribe: 'I'm not fooling anybody'. 2000.06.22

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License