Subject: BubbleBoy virusu
From: Mustafa Akgul (akgul@Bilkent.EDU.TR)
Date: Wed 10 Nov 1999 - 17:32:03 EET
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
'BubbleBoy' virus breaks new ground
By Jim Kerstetter, PC Week
November 9, 1999 2:40 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,1018067,00.html
Prepare to unlearn everything you've learned about computer viruses.
An anonymous virus writer who is apparently an avid "Seinfeld" fan has
created a virus -- actually a self-replicating worm -- that can spread
itself through a user's Microsoft Corp. (Nasdaq: MSFT) Outlook or Outlook
Express client.
The worm, called "BubbleBoy" in an apparent reference to a "Seinfeld"
episode, is unlike anything that anti-virus software vendors have seen to
this point.
No attachment required
It doesn't rely on an attachment. Instead, all a user has to do is open
an e-mail. An embedded Visual Basic Script command attaches itself to the
Outlook address book and mails the e-mail to everyone in the address
list.
MORE FROM ZDNET: "Historically, anti-virus vendors have always told
See ZDNet users, 'If you don't open the attachment, you won't
Updates for have a problem,' " said Sal Viveros, marketing manager
worm, virus for Total Virus Defense at Network Associates Inc.
updates and (Nasdaq: NETA) in Santa Clara, Calif. "This changes
fixes that."
See ZDNet's Help For Outlook Express users, it's particularly
Channel for troubling. Simply using the preview function of
anti-virus Outlook Express will allow the worm to replicate.
solutions
Still, BubbleBoy is considered low risk by most
Download anti-virus software vendors, including Network
anti-virus Associates, Symantec Corp. (Nasdaq: SYMC), Computer
software Associates International Inc. (NYSE: CA) and Trend
Micro Corp., because it hasn't been reported by any
ZDNet Software customers.
Library:
Download Besides being a nuisance, it doesn't carry with it any
ExploreZip Worm code that could damage someone's computer.
Cleaner
Someone thought to be the virus writer, most likely in
Virus authors an effort to gain attention, sent BubbleBoy to
catch millennium anti-virus companies and posted it on several Web
bug sites Monday night.
AnchorDesk: The Harbinger of bad stuff?
Virus That Anti-virus vendors worry that this could be a
Shagged Me harbinger of some very nasty things to come.
More related Last month, researchers at the Virus Bulletin
stories conference in Vancouver speculated that something like
BubbleBoy could be created.
And just a few days ago, a posting on several security 'Historically,
sites explained how it could be done, said Dan Schrader, anti-virus
vice president of new technology at Trend Micro in vendors have
Cupertino, Calif. always told
users, 'If you
It wouldn't be difficult, Schrader said, for virus don't open the
writers to release something like BubbleBoy into the wild attachment,
and attach a malicious payload to the VBS program. you won't have
a problem.'
"It's interesting. And it's scary. And it's quite This changes
powerful," he said. that.'
-- Sal
But, Schrader added, it isn't in the wild quite yet, and Viveros,
most anti-virus vendors should have it added to their Network
virus definition lists by the end of the day. Associates
Inc.
BubbleBoy requires Internet Explorer 5.0 with Windows
Scripting Host installed, which is standard on Windows 98
and Windows 2000. It doesn't run on Windows NT or on the default settings
of Windows 95. Setting IE 5.0 to its maximum security setting would
prevent it from doing anything.
Long-running joke
Users won't know they have been infected until the initial e-mail blast.
After that, the worm changes the registered owner to BubbleBoy and the
organization to "Vandelay Industries."
The body of the message simply says, "The BubbleBoy incident, pictures
and sounds."
Vandelay Industries, like the BubbleBoy whose bubble burst during a tense
game of Trivial Pursuit, was a long-running joke on "Seinfeld." George,
Jerry's often-unemployed sidekick, was fond of saying he worked for the
fictitious Vandelay Industries.
The BubbleBoy worm may be taking advantage of a Microsoft security hole
for which there is a patch.
Symantec anti-virus researchers in Santa Monica, Calif., are trying to
determine if BubbleBoy is taking advantage of an IE 5.0 security flaw
discovered in August.
In a security bulletin dated August 31, Microsoft posted a patch that
eliminates the security vulnerabilities in two Active X controls of IE
5.0.
The net effect of the vulnerabilities, according to Microsoft, was that a
Web page could take control of a user's computer without the user knowing
it. The patch is available at windowsupdate.microsoft.com.
Smarter virus writers
Researchers add that BubbleBoy is further proof that, as anti-virus
technology improves, virus writers are getting smarter, particularly when
it comes to VBS.
"BubbleBoy in of itself is not very dangerous," said Narender Mangalam,
director of security products at Computer Associates in Islandia, N.Y.
"The reason we are all very interested in this is because it is a proof
of concept."
Listeden cikmak icin:
unsub linux
mesajini listeci@bilkent.edu.tr'a gonderiniz.
Lutfen Listeci icin MIME / HTML / Turkce Aksan kullanmayin.
Liste arsivinin adresi: http://listweb.bilkent.edu.tr/