991110 Article on new computer virus attacking email, MS Outlook.

THE WELCH COMPANY
440 Davis Court #1602
San Francisco, CA 94111-2496
415 781 5700

S U M M A R Y

DIARY: November 10, 1999 12:16 PM Wednesday; Rod Welch

Article on new computer virus attacking email, MS Outlook.

1...Summary/Objective
2...Bubble Boy Virus Attacks MS Office 2000, Outlook, But Not Netscape
3...Protection can be obtained from...

.............. Click here to comment!
CONTACTS 

SUBJECTS
Security, Privacy - Discovery
Virus Protection
Office 2000 Risks Virus Problems
Virus Risk Office 2000
Bubble Boy

0907 -    ..
0908 - Summary/Objective
0909 -
090901 - Follow up ref SDS 4 0674.
090902 -
090903 - Received two articles reporting new, more powerful computer virus
090904 - spread by email. It is not harmful now, but shows potential for future
090905 - problems using MS Internet Explorer and Outlook for email.  Netscape
090906 - does not seem to be affected. ref SDS 0 5073  Microsoft has a patch to
090907 - block the virus. ref SDS 0 5952  New virus protection is available
090908 - from McAfee and Advert. ref SDS 0 2769
090909 -
090910 - Requested comments from Morris on steps he is taking to meet this
090911 - risk.
090912 -
090913 - Seems like an SDS environment is a big target of opportunity for this
090914 - kind of problem.
090915 -
090916 -
090917 -
090918 -
0910 -
0911 -
0912 - Progress
0913 -
091301 -  ..
091302 - Bubble Boy Virus Attacks MS Office 2000, Outlook, But Not Netscape
091303 -
091304 - On 990727 report on Microsoft 2000 warned that new features pose new
091305 - risks that make invasion easier. ref SDS 4 0674
091306 -
091307 - Yesterday there was a report on the Internet of a new, more powerful
091308 - computer virus that is spread by email, called...
091309 -
091310 -
091311 -                        Bubble Boy
091312 -
091313 -
091314 - ...in an article published by Newsbyte. ref OF 3 0001
091315 -
091316 - A second article published by AP reports a patch is available to
091317 - protect against Bubble Boy. ref OF 4 0001
091318 -
091319 - This virus does not require opening an attachment. ref OF 3 3640
091320 -
091321 - The article reports speculation that the developers of the virus sent
091322 - it anonymously to a virus protection firm to demonstrate proof-of-
091323 - concept. ref OF 3 2537
091324 -
091325 - Virus requires Internet Explorer, Windows 98 and Outlook. ref OF 4
091326 - 4161 and ref OF 4 2262 and ref OF 4 5610
091327 -
091328 -     In a call to Morris on 991113, Morris advised that Bubble Boy
091329 -     takes advantage of a bug in Outlook, and so is not a Netscape
091330 -     issue.
091331 -
091332 - Windows Sripting Host (WSH) is required for the virus to function.
091333 - ref OF 4 1188 and, ref OF 3 5550
091334 -
091335 -     Sounds like WSH might be uninstalled to avoid the virus???
091336 -
091337 - Windows NT is not affected. ref OF 4 1188
091338 - ..
091339 - Netscape has not been shown to be affected. ref OF 4 5610
091340 -
091341 -     In a call to Morris on 991113, Morris advised that Bubble Boy
091342 -     takes advantage of a bug in Outlook, and so is not a Netscape
091343 -     issue.
091344 -
091345 - Virus is spread by e-mail, ref OF 3 0550, with white on black color
091346 - scheme and the following text:
091347 -
091348 -        From: (actual unknowing sender of the virus laden e-mail)
091349 -
091350 -        Subject: BubbleBoy is back!
091351 -
091352 -        Body: The BubbleBoy incident, pictures and sounds
091353 -
091354 -        E-mail shows an invalid URL ending in "bblboy.htm."
091355 -        ..
091356 -        Virus takes every address in a computer's e-mail program
091357 -        and passes the virus along, unless the computer user has
091358 -        installed a patch distributed in August by Microsoft.
091359 -        ref OF 4 2552
091360 -
091361 -
091362 - What is not clear is whether the email has to be opened in order to
091363 - trigger harmful effects, or whether it can be deleted immediately to
091364 - prevent triggering the virus.
091365 -        ..
091366 -        The article says upon arrival on a non-infected system,
091367 -        BubblyBoy will send itself to every contact in every e-mail
091368 -        address book of Outlook or Outlook Express. It will then set a
091369 -        registry key to indicate that the e-mail distribution has
091370 -        occurred, and subsequent BubbleBoy arrivals will not spread.
091371 -        ref OF 3 2703
091372 -
091373 -        The second article received today says this e-mail virus does
091374 -        not need to be fully opened to be activated.  Highlighting the
091375 -        e-mail's subject line in Microsoft Outlook Express activates
091376 -        its hidden code.
091377 -
091378 - This appears to conflict slightly with the report that the virus does
091379 - not execute until the email is opened in Outlook. ref SDS 0 1890
091380 -
091381 -     In a call with Morris on 991113 he advised his understanding that
091382 -     Buble Boy can only be activated if the email is opened.  So it
091383 -     can be deleted without opening it, to avoid harm.
091384 -
091385 - Users will not immediately realize that they have been infected.
091386 - ref OF 3 6391
091387 -
091388 -         Virus spreads in one e-mail blast,
091389 -
091390 -         Registry is changed to show System's owner is "BubbleBoy" and
091391 -         organization is changed "Vandelay Industries"
091392 -
091393 -         Destructive changes can be made, including data.
091394 -
091395 - BubbleBoy requires Internet Explorer 5 with Windows Scripting Host
091396 - (WSH) installed. WSH is standard in Windows 98 and Windows 2000
091397 - installations. The virus will infect users running Microsoft Outlook
091398 - and Outlook Express. ref OF 3 5550
091399 -      ..
091400 -      In Outlook, this virus requires that the recipient "open"
091401 -      the e-mail, and the virus will not run if the e-mail is only
091402 -      viewed through the "Preview Pane." ref OF 3 4356
091403 -
091404 -         This seems to conflict slightly, with explanation above that
091405 -         the virus executes upon arrival. ref SDS 0 6478
091406 -
091407 -     In a call to Morris on 991113, Morris advised that Bubble Boy
091408 -     takes advantage of a bug in Outlook, and so is not a Netscape
091409 -     issue.
091410 -
091411 -      In Outlook Express, the virus activates even if the e-mail is
091412 -      only viewed through the "Preview Pane." ref OF 3 5329
091413 -
091414 - ..
091415 - Protection can be obtained from...
091416 - 
091417 -
091418 -                        Advert
091419 -
091420 -
091421 -                    http://www.nai.com
091422 -
091423 -
091424 - ...and from...
091425 -
091426 -                          McAfee
091427 -
091428 -
091429 -                     http://www.McAfee.com .
091430 -
091431 -
091432 - ...as reported at ref OF 3 6000
091433 -
091434 -
091435 - Enabling Microsoft's highest-security e-mail filter will keep the
091436 - virus from entering.
091437 -
091438 - Microsoft spokesman Adam Sohn said Tuesday night that anyone who
091439 - downloaded the August upgrade to Internet Explorer 5.0 already is
091440 - protected from ``Bubbleboy.''
091441 -
091442 -     These do not sound very reassuring.  How long will it be until
091443 -     these defenses are overcome?
091444 -
091445 -     We are evolving into a siege mentality.
091446 -
091447 -
091448 -
091449 -
091450 -
091451 -
091452 -
0915 -