Worm teaches users new security lesson

While many users have learned the lessons of the last years' viruses and now refrain from opening strange e-mail attachments, that practice may no longer keep them safe, following the release of the "proof-of-concept" worm called BubbleBoy.

The worm proves that a victim no longer has to open an attachment to infect his or her system, because merely opening the e-mail carrying the BubbleBoy worm can infect a machine.

"It totally bypasses the previous philosophy of 'Don't open that attachment, if you don't know what it is'," said Chris Williams, senior manager at NAI Labs, the research arm of Network Associates.

The BubbleBoy worm will infect users running Microsoft Outlook and Outlook Express. In Outlook, it requires you to open the e-mail message, and will not run if the message is viewed via the Preview Pane. In Outlook Express, it activates even if only the Preview Pane is used. To infect a system, the worm requires Internet Explorer 5 with Windows Scripting Host installed, but it will not activate if the security settings for the Internet Zone in IE5 are set to High.

Users will not immediately realize they have been infected, as there are no effects to a user's system other than the change - via the registry - of the system's registered owner and organisation to "BubbleBoy" and "Vandelay Industries," respectively. These references have apparently been taken from the television show Seinfeld, and other Seinfeld references are included.

After infecting a system, BubbleBoy sets a registry key to indicate that the e-mail distribution has occurred, and subsequent reinfections will not spread again from the same machine.

The actual danger from the BubbleBoy worm is low, as it does not include a dangerous payload, and security vendors stress that no one has been infected with the worm as of yet. But the danger of so many infected e-mail messages launching from an e-mail system at once could be devastating enough.

The BubbleBoy worm was sent anonymously to anti-virus vendors and organizations. Copycat viruses that use its technique are almost a certainty.

"We fully expect this exploit to be utilized in the next year [by other viruses]," said Vincent Gullotto, director of the Anti-Virus Emergency Response Team at NAI.

Users' first defense is to refrain from opening e-mail messages with the subject line "BubbleBoy is back," and to set any filtering or scanning systems to watch for this subject line. Anti-virus vendors are also offering updated virus-recognition files to identify the attack.

Dan Schrader, vice president of new technology at Trend Micro, said that a patch from Microsoft would protect systems using IE5.

Join the newsletter!

Error: Please check your email address.

More about MicrosoftNAITrend Micro Australia

Show Comments

Market Place