For immediate releaseEspoo, Finland - November 10, 1999 - Data Fellows Corporation, a leading provider of Internet security solutions, today announced the first virus found which activates by opening an e-mail message. VBS/Bubbleboy is the very first worm that is able to infect without opening an attachment. The worm will execute immediately after the user has opened the message in Microsoft Outlook.
As of Tuesday afternoon, Data Fellows had received no reports of this virus being in the wild, and it is not considered a big threat. However, Data Fellows wishes to warn the public of this new infection mechanism. The worm propagates as a Microsoft Outlook message. This message does not have a separate attachment, but the worm code is included in the message itself. However, if active scripting is disabled, the worm will not work. The worm uses ActiveX features to open Microsoft Outlook and uses it to send itself to all recipients in all address books, like the Melissa virus.
The message contains the following:
From: (name of infected user)
Subject: BubbleBoy is back!
Body: The BubbleBoy incident, pictures and sounds
The reference to Bubbleboy and the above link are references to a character in an episode of the TV show "Seinfeld".
The receiver of the e-mail becomes infected and spreads the worm without opening any attachment. The message does not contain any attachments. The mass mailing is executed only once per infected machine.
After the mass mailing, the worm will display a message box with the following text:
System error, delete "UPDATE.HTA" from the startup folder to solve the problem.
Bubbleboy is only able to spread under Microsoft Outlook 98, Microsoft Outlook 2000 and Microsoft Outlook Express that comes with Internet Explorer 5. It does not replicate under Windows NT. Bubbleboy uses a known security hole in Microsoft Outlook to create the local HTA file.
Microsoft has more information on this problem available at: http://www.microsoft.com/Security/Bulletins/MS99-032faq.asp
They also have a patch to fix this problem at: http://www.microsoft.com/security/Bulletins/ms99-032.asp
More technical information and screenshots of the virus are available at: http://www.f-secure.com/v-descs/bubb-boy.shtml
Founded in 1988, Data Fellows is listed on the Helsinki Stock Exchange. The company
is headquartered in Espoo, Finland with North American headquarters in San Jose,
California, as well as offices in Canada, Germany, China, France, Japan and the United
Kingdom. Data Fellows is supported by a network of VARs and Distributors in over 90
countries around the globe.
For further information, please contact
Hong Kong:
Yui Kee Co. Ltd.
Mr. Allan Dyer, Technical Director
Tel: +852 28708555
Fax: +852 28736164
E-mail: adyer@yuikee.com.hk
http://www.yuikee.com.hk/
USA:
Data Fellows Inc.
Mr. Dan Takata, Technical Support
Tel. +1 408 938 6700,
Fax +1 408 938 6701
E-mail: Dan.Takata@F-Secure.com
Finland:
Data Fellows Corporation
Mikko Hyppnen, Manager, Anti-Virus Research
PL 24
FIN-02231 Espoo
Tel. +358 9 859 900,
Fax. +358 9 8599 0599
E-mail: Mikko.Hypponen@F-Secure.com