It is true, and then again it's not _completely_ true.
Here's what Network Associates (McAfee AV)has to say:
=================
Virus Name
VBS/Bubbleboy
Date Added
11/8/99
Virus Characteristics
This is an Internet worm that requires Internet Explorer 5 with Windows
Scripting Host installed (WSH is standard in Windows 98 and Windows 2000
installations). It does not run on Windows NT due to hard-coded limitations. The
Internet worm is embedded within an email message of HTML format and does not
contain an attachment. This worm is written in VB Script. There are two
variants; the .b variant is encrypted.
In MS Outlook, this worm requires that you "open" the email. It will not run if
using "Preview Pane".
In MS Outlook Express, the worm is activated if "Preview Pane" is used!
In both the above, if security settings for Internet Zone in IE5 are set to
High, the worm will not be executed. The vulnerability exploited by this worm
has been addressed by Microsoft with a security patch. Installing this Internet
Explorer patch will prevent the execution of this worm under default security
settings. Network Associates recommends to apply this patch for all desktops
running IE.
Microsoft "scriplet.typelib/Eyedog" Patch
After the VB Script executes, it writes the file UPDATE.HTA to the local machine
and during the next Windows startup, the .HTA file is invoked. The UPDATE.HTA
file is coded to do the following-
* Change the registered owner via the registry to "BubbleBoy"
* Change the registered organization to "Vandelay Industries"
* Send itself embedded in an email message to EVERY contact in EVERY EMAIL
ADDRESS BOOK of MS Outlook
* Sets the registry key to indicate that the email distribution has occurred.
(Email distribution will not be repeated.)
The email is a message with the following information:
From: (person who sent worm unintentionally)
Subject: BubbleBoy is back!
Message Body: The BubbleBoy incident, pictures and sounds
http://www.towns.com/dorms/tom/bblboy.htm
This is not a valid web page.
Indications Of Infection
Registry key modification:
HKEY_LOCAL_MACHIN\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.0 by Zulu
or
HKEY_LOCAL_MACHIN\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.1 by Zulu
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner =
Bubbleboy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization
= Vandelay Industries
NOTE:
AVERT Recommends scanning for all files at the gateway. For desktops, add .HT?
to the extensions list of files scanned by VShield for both the VirusScan 9x and
VirusScan NT products. Adding .HT? to the extension list for on-demand scanning
will provide protection as well.
AVERT recommends filtering the subject line with the WebShield SMTP product -
see www.nai.com for more information about this product.
Method Of Infection
This worm creates the file "UPDATE.HTA" in the "C:\windows\start
menu\programs\startup" folder. Upon Windows startup or restart, the worm code is
invoked.
Extra DAT Support
Download EXTRA.DAT for VirusScan 4.0.25 (and higher)- download here
Download EXTRA.DRV for Toolkit 7.99 - download here
Download Hourly Scan for 3x download here
Virus Information
Discovery Date: 11/8/99
Type: VBScript
Risk Assessment: low
Minimum DAT: 4052 (Available 11/18/99)
Variants
.A, .B
Aliases
VBS/Bubbleboy
=============
Please remove *anti-spam* from the email when replying.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
When everything else failed, we can still become im-
mortal by making an enormous blunder....
John Kenneth Galbraith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
