From: James Harnett USWEST NET> Date: 13 nov 1999 Subject: Re: Virus Alert I think that there may be some misleading information in the "BubbleBoy" virus note that went out this morning. Below is the original "Virus Alert" that went out Monday, November 9, 1999, from Computer Associates (not Network Associates). Carnegie Mellon Software Engineering Institute is one of the primary investigators of software virus contamination and cure. I have been using Cheyenne products for many years, and find them to be very gratifying (I've tested others, including Mcafee, but prefer Cheyenne above all). There are literally scores of virus software packages popping up weekly. You can not wait a year or two, a month or so, or even every other week to update your virus signatures. This simply, will not protect you. If you ever get hit by one of the really bad ones out there, then you'll understand how important these Fault Tolerance and Security issues are to us all. If you want further information on this topic, please e-mail me, direct, and I will assist you as much as I can. When I was a young boy, one of my uncles taught me that people who gets things for free, will not appreciate that thing, no matter how valuable it may be. They need to pay something for it, even $5 to $100 for the materials to make a $4,000 painting that he would gave away (he has done just that many times, as an independently well off top artist). If you are truly interested in the safety of your computer, programs, and data, then take the time to send an e-mail to me. I am not selling anything. Check me out at, . In this situation, I'd like to get an e-mail from you, to show that you are interested in this matter. It is a small cost, and it will tell me that my efforts are not falling on deaf ears. ============================================= AntiVirus Alert from Computer Associates Version 99.18 ============================================= The "VBS/BubbleBoy" virus is a worm spreading through Outlook e-mail. It can be seen as "proof-of-concept" worm. It is the first known worm to activate without the need to open an attachment from a mail. VBS/BubbleBoy is sent as an HTML e-mail with the subject line "BubbleBoy is back!". The HTML page contains hidden (embedded) Visual Basic Script code that will be executed without prompting the user if the Internet Explorer 5 security settings are set to medium or low. It uses a known Internet Explorer 5 exploit to write parts of its code ("update.hta") in the Windows startup directory. At the next system start the code will be executed. The routines require a special environment (e.g. the "WScript.Shell" object from the Windows Scripting Host must be accessible) to run properly. The Windows Scripting Host is part of Windows 98 but may be installed as an external update on other Windows versions as well. Additionally the worm is not compatible to all language specific versions of Windows. The mass mailing feature of this worm is comparable to the mass mailing functionality found in the Melissa virus family. First the worm changes the registered owner to "BubbleBoy" and the registered organization to "Vandelay Industries". Afterwards the worm reads the registry key "HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\" and compares the contents with "OUTLOOK.BubbleBoy 1.0 by Zulu". If this string is not found, the mass mailing code will be executed. The worm will create a message to all entries in the Outlook address book of the attacked user. The subject line of the message is "BubbleBoy is back!". The message body (HTML) contains the title "BubbleBoy is back!" and the text "The BubbleBoy incident, pictures and sounds". The body also contains a link to a Web page. Finally the virus sets a flag to delete the message, after it has been submitted. There is no additional payload in this worm. Virus Signature Files from Cheyenne were released on November 9, 1999, for Inoculan/InoculateIT Workgroup, Advanced & Enterprise Editions. Inoculan/InoculateIT virus signature update files are cumulative, therefore the latest signature file update includes everything from all previous file updates as well as new virus information. = = = = = = = = = = = = = = = = = = = James Harnett, (503) 282-8698 mharnett uswest net P.O. Box 12150 Portland, Oregon 97212-0150 U.S.A. = = = = = = = = = = = = = = = = = = =