Return To Home Page Search Fire Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info Prognet Privacy Statement

Click here to view product details, fire framework, screen shots, Y2K statement, etc.Download fire evaluation copy, updates, upgrades, user manual, free utils and lot more.Customers can enjoy technical support, security tips, FAQ, free virus alert mail, etc. Online ordering, renewal form and upgrade details.Resellers, dealers and distributors can enter here.Click here to view latest virus alerts, virus information center, virus calendar, etc.Latest news and other press releases.About Prognet Technologies Pvt. Ltd, technical team, clients, events and lot more.

 

BEWARE OF VBS/BUBBLEBOY WORM

                     VBS/Bubbleboy is the first e-mail worm to infect computers without using attachments. Historically, as long as you don't open e-mail attachments you're safe from virus infection, but this changes all that. It uses a vulnerability discovered by Georgi Guninski in which many versions of Internet Explorer 5 allow any HTML file or e-mail to write files without ActiveX authorization. It will ONLY infect PCs running Windows 98 with Internet Explorer 5 and Outlook or Outlook Express.

                     When viewing the e-mail in OUTLOOK or OUTLOOK EXPRESS, the VBScript code in it will create "UPDATE.HTA" in startup directory. This will only work in english and spanish Windows versions. This file will be run at next startup, it will change the registered owner to "BubbleBoy" and the registered organization to "Vandelay Industries". Then it will try to use OUTLOOK to send the e-mail worm to all contacts of each list of the address book. The e-mail subject will be "BubbleBoy is back!" and the body will have the text "The BubbleBoy incident, pictures and sounds" and a link to an URL

                     The OUTLOOK code won't be run if the "HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\" registry key has the "OUTLOOK.BubbleBoy 1.0 by Zulu" value, or "OUTLOOK.BubbleBoy 1.1 by Zulu" in case of the 1.1 version. If it doesn't exist it will be created, so the mails won't be send more than one time. Finallly the worm displays the following message:

"System error, delete "UPDATE.HTA" from the startup folder to solve this problem."

                     So, "UPDATE.HTA" will be created when viewing the e-mail in OUTLOOK or OUTLOOK EXPRESS, because of this, the little payload (changing the registration information) will work on both mail clients, but the e-mail worm will be send in OUTLOOK only.

Changes between 1.0 and 1.1:

- The HTA file used at startup is now VBScript encoded.

How can I protect my system?

                     Fire has incorporated Bubbleboy into its virus signature file, with the aim of helping users affected by this Worm attack to detect and eliminate it from their systems. Fire anti-virus users can update this signature file from our web site.

                     To protect your system against infection, disable Windows Scripting Host by following these steps: Click the Start button, Settings, Control Panel, then select Add/Remove Programs, then select the Windows Setup tab, then double-click Accessories, scroll down to Windows Scripting Host, and uncheck the box. Save changes and close the window.

How can I find my system is infected?

                     You can check the system manually. This worm creates the file "UPDATE.HTA" in the "C:\windows\start menu\programs\startup" folder. If the file is present in the folder, your PC is infected with this virus. A free utility is available to detect and clean this virus in Download Center.

Go to top of the page
Bottom image.