VBS/Bubble.Worm
| VBS/Bubble.Worm |
Destructivity:  Spreading: Overall risk: 
|
| • Detected by virus detection files published: 11/24/1999 | • Type: Worm |
| • Virus characteristics first published: 11/24/1999 | • Spreading mechanism: Email |
| • Virus characteristics latest update: 12/17/2003 | • Overall risk: Low |
| • Infection type: Microsoft Visual Basic Script |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
|
VBS/Bubble is dependant on Microsoft Outlook or Outlook Express as the e-mail client to be able to infect. It further requires that Internet Explorer version 5 is installed. Vulnerable operating systems are Windows 95 and Windows 98. Due to an error in the worm's program code it does not infect Windows NT. When an e-mail with this worm is opened, it drops the file UPDATE.HTA in Windows' StartUp directory. If Outlook Express is used as the mail client, the e-mail does not even have to be opened. It infects when the e-mail is looked at in the Preview Panel. The next time the PC is booted, the worm e-mails itself to all entries in Outlook's address book. In addition, the script sets the "RegisteredOrganisation" and "RegisteredOwner" fields in the registry to "Vandelay Industries" and "BubbleBoy". The user will get no warnings that anything unsafe is about to happen. The worm will probably only function as intended on English and Spanish versions of Windows. The worm utilizes an ActiveX control which is incorrectly marked "safe for scripting" and therefore may be activated from Microsoft Outlook, Outlook Express (and Internet Explorer). Microsoft has released a patch which eliminates this vulnerability. Changing the security settings in Outlook or Internet Explorer for the Internet Zone to high (default is medium) or disable Active Scripting in the Internet Zone, will also protect a user from this worm. VariantsTwo variants exist. VBS/Bubble.A and VBS/Bubble.B. The latter is encrypted. Neither of these variants is known to be in the wild. |
||||||||||||||