The BubbleBoy virus, which sent shudders through the antivirus community earlier this week, is no longer just a lab rat. MSNBC has confirmed that the virus -- and an updated Version 1.1 of the program -- has now been posted on a Web page hosted in Japan devoted to collecting viruses. A look at the virus reveals a few more details about the program.
While the virus is now available for download and imitation by virus writers, there as yet have been no reported victims of the program.
A text document connected to the virus claims the nefarious program was written by a virus writer named "Zulu" and suggests the program originated in Argentina.
That text file also goes on to credit the security expert who first discovered the vulnerability exploited by the virus: "First e-mail worm (without using attachments)," according to BubbleBoy.txt. "It uses a vulnerability discovered by Georgi Guninski in which many versions of Internet Explorer 5 allow any HTML file or e-mail to write files without ActiveX authorization."
It also notes the virus will only work in English and Spanish versions of Microsoft Outlook.
A new breed of virus
The long-feared new breed of computer virus emerged late Monday, according to antivirus firms. The so-called BubbleBoy virus can infect Internet users when they open, or even simply preview, an infected e-mail.
"Historically we've always said, as long as you don't open attachments, you're safe," Network Associates spokesman Sal Viveros said. "That's not true anymore."
It was apparently created by a fan of the TV sitcom "Seinfeld." The name appears to have been taken from an episode of the show. Another famous character, the Soup Nazi, is referenced in the virus' code itself, as is Vandelay -- an apparent reference to Vandelay Industries, a fictitious company where hapless George Costanza claimed he was employed.
The virus arrives with the subject line "BubbleBoy is Back!" The body of the message includes the text "The BubbleBoy incident, pictures and sounds." There's also a link to a non-working Web page: www.towns.com/d=orms/tom/bblboy.htm.
BubbleBoy is a "proof of concept" virus that has no dangerous payload, meaning it doesn't attempt to delete or alter files. But it does have the ability to create a "Melissa-like" mail storm as it sends copies of itself to every e-mail address in the victim's address book.
For over a year, security experts have raised the concern that e-mail itself -- rather than an e-mail attachment -- can transmit a computer virus. The problems are caused by e-mail readers that render HTML, like Microsoft's Outlook or Eudora Pro. Since these programs allow Web-page-like formatting within the body of the message, they also allow execution of code. With Outlook Express, that code can be executed even before the message is open, thanks to the "preview pane" included with the software. (Microsoft is a partner in MSNBC.)
But while the possibility has existed theoretically, BubbleBoy is the first virus to exploit it, Viveros said.
Thanks to virus crises like Melissa, most Internet users seem used to the idea that opening e-mail attachments can expose their computers -- but reading e-mail itself has always seemed safe. Not any more, according to Viveros.
"This really changes the way people need to react to viruses," he said. "You can't really tell people, 'Don't open e-mail.' "
In fact, it's unclear exactly how users of HTML-enabled e-mail readers can protect themselves from such viruses. Regularly updating antivirus software will filter out most viruses, but virus writers are usually a half step ahead of antivirus software. New ill-intentioned programs are almost always able to slip through defenses during the first few hours after their release.
"Until yesterday, I was telling people, 'Don't open attachments unless you know why the person sent it to you,' " said Dan Schraeder, vice president of new technologies at antivirus firm Trend Micro. "Now I get nervous just opening e-mail."
BubbleBoy was sent anonymously to Network Associates Monday night, Viveros said, probably by the author. At that time, it was declared just a lab rat -- no antivirus firm had reported seeing BubbleBoy in the wild.
"This virus has not been posted at any hack site we are aware of. We don't expect to see variants of it popping up all of the sudden," Schraeder said Tuesday.
But that's no reason to dismiss it. "Historically, what we've seen is people take proof-of-concept viruses and create dangerous payloads for them," Viveros said.
How the virus works
The virus only affects Microsoft Outlook users with Internet Explorer 5.0, and only if Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations). If security settings for Internet Zone in IE5 are set to High, the worm will not be executed. It does not run on Windows NT.
According to Schraeder, the virus actually takes advantage of a security flaw in Microsoft's ActiveX technology that was discovered in August. Two components of Internet Explorer 4.0 and 5.0, scriptlet.typelib and Eyedog, are incorrectly labeled as "trusted" -- meaning they can retrieve and alter critical information on a user's computer. BubbleBoy calls on these controls through scripting in the body of an e-mail message in order to access a victim's computer.
Users who have installed Microsoft's patch for the flaw (available from this Web site) are not vulnerable to BubbleBoy, but they may be vulnerable to other HTML/e-mail attacks.
"This is a good wake-up call for us, to remind people they need to get the latest security updates and update their virus scanning engine," Schraeder said.
