This is an Internet worm that requires Internet Explorer 5 with Windows Scripting Host installed (WSH is standard in Windows 98 and Windows 2000 installations). It does not run on Windows NT due to hard-coded limitations. The Internet worm is embedded within an email message of HTML format and does not contain an attachment. This worm is written in VB Script. There are two variants; the .b variant is encrypted.
In MS Outlook, this worm requires that you "open" the email. It will not run if using "Preview Pane".
In MS Outlook Express, the worm is activated if "Preview Pane" is used!
In both the above, if security settings for Internet Zone in IE5 are set to High, the worm will not be executed. The vulnerability exploited by this worm has been addressed by Microsoft with a security patch. Installing this Internet Explorer patch will prevent the execution of this worm under default security settings. Network Associates recommends to apply this patch for all desktops running IE.
Microsoft "scriplet.typelib/Eyedog" Patch
After the VB Script executes, it writes the file UPDATE.HTA to the local machine and during the next Windows startup, the .HTA file is invoked. The UPDATE.HTA file is coded to do the following-
* Change the registered owner via the registry to "BubbleBoy"
* Change the registered organization to "Vandelay Industries"
* Send itself embedded in an email message to EVERY contact in EVERY EMAIL ADDRESS BOOK of MS Outlook
* Sets the registry key to indicate that the email distribution has occurred. (Email distribution will not be repeated.)
The email is a message with the following information:
From: (person who sent worm unintentionally)
Subject: BubbleBoy is back!
Message Body: The BubbleBoy incident, pictures and sounds
http://www.towns.com/dorms/tom/bblboy.htm
This is not a valid web page.
