The antidote is already discovered Cambridge, UK, November 10, 1999 - Kaspersky Labs Int., an international anti-virus software vendor, reports the discovery of a new generation of Internet-based malicious code that constitute a real danger to all computer users and corporate networks....
The antidote is already discovered
Cambridge, UK, November 10, 1999 - Kaspersky Lab Int., an international anti-virus software vendor, reports the discovery of a new generation of Internet-based malicious code that constitute a real danger to all computer users and corporate networks. I-Worm.BubbleBoy is the first Internet-worm able to spread through e-mail without using attachments. It means that the worm can penetrate into the system right after the infected message has been read.
All previously known Internet-worms are using a common way of spreading while sending itself in attachments in e-mail messages. BubbleBoy penetrates into a system right after an infected message has been read and sends itself to e-mail addresses from MS Outlook address book without a user even to notice this.
"At this moment we have not been reported the cases of mass infections by this Internet-worm. However we should warn all the computer users to take all needed precautions in order to avoid the worm's further spreading", - said Eugene Kaspersky, head of anti-virus research at Kaspersky Lab.
Infection Indications
An infection by BubbleBoy can be recognised by the following. The worm indicates on it's presence by adding thses records into a system registry:
HKEY_LOCAL_MACHIN\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.0 by Zulu
or (depending to the version of the worm)
HKEY_LOCAL_MACHIN\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.1 by Zulu
as well as
HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\RegisteredOwner = Bubbleboy
HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\RegisteredOrganization = Vandelay Industries
Infection Prevention
To provide 100% security level against possible attacks by BubbleBoy worm you should follow one of these steps:
- Install an update from Microsoft that eliminates security "Scriptlet.Typelib" vulnerability. The update can be obtained at http://support.microsoft.com/support /kb/articles/Q240/3/08.ASP
- In case you do not use any HTML applications (HTA-files), you can secure your system by disabling file association for .HTA extension. To do so you should follow these steps:
- Double click "My Computer" icon on desktop;
- In appeared window choose menu "View" then "Options...";
- On "File Types" tab in "Registered file types" listbox select "HTML Applicaton" item;
- Click "Remove" button and confirm action;
- Close options dialog box.
