From: (name of infected user) Subject: BubbleBoy is back! Body: The BubbleBoy incident, pictures and sounds
If you see this on your screen, contact your F-Secure distributorThe reference to Bubbleboy and the above link are references to a character in an episode in the TV show "Seinfeld". Although the link shown by the virus appears to be broken, it is most likely the same page as http://www.toptown.com/dorms/rick/bblboy.htm This page and it's maintainer have nothing to do with the worm. The receiver of the e-mail gets infected and spreads the worm without clicking any attachment. The message does not even have any attachments. When user receives such an e-mail and opens it, the worm attempts to create two files, "C:\WINDOWS\START MENU\PROGRAMS\STARTUP\UPDATE.HTA" and "C:\WINDOWS\MENU INDICIO\PROGRAMS\INICIO\UPDATE.HTA". These locations specify the Windows startup directory for both English and Spanish versions. After creating this file the worm will perform no further action until the system has been restarted. Then the worm will use ActiveX feature to access the system registry. It modifies the Windows registered owner to "BubbleBoy" and organization to "Vandelay Industries".
HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoyand sets its value to:
OUTLOOK.BubbleBoy 1.0 by ZuluThe mass mailing is done only once per infected machine. Next, the worm will show a message box with the following text:
System error, delete "UPDATE.HTA" from the startup folder to solve the problem.
From: (name of infected user) Subject: From Your Friend... Body: Message From Your Friend... http://www.towns.com/dorms/tom/friends.htmThe marker in the registry is different. The marker in this variant is:
HKEY_LOCAL_MACHINE\Software\OUTLOOK.Friendsand its value is set to:
OUTLOOK.Friends 1.0 by Wh0This variant drops a "C:\WINDOWS\FONTS.VBS" file, modifies the settings of the mIRC application and then executes mIRC to send this VBS file. This will work only if mIRC is installed to "C:\MIRC" or "C:\PROGRAM FILES\MIRC" directory. Then the worm will open a hidden MS-DOS session and will attempt to delete all files from the current directory. Usually this is the Windows directory. Finally the worm will drop a small binary file, "C:\PrettyIRC.COM". VBS/BubbleBoy.C compiles this file (using the debugger) from a previously dropped source file "C:\WINDOWS\START MENU\PROGRAMS\STARTUP\UPDATE.SCR". This program is supposed to format the hard drive, but it does not work due to a bug. [Analysis: Katrin Tocheva, Sami Rautiainen and Alexey Podresov, F-Secure]