BubbleBoy is a Microsoft Windows email worm that propagates through both Microsoft Outlook (98/2000) and Microsoft Outlook Express. The worm sends emails that contain no attachments. Instead, it utilizes exploits in order to execute the payload, and it was the first worm known to do so. Upon opening an infected email, the worm will immediately execute.
The first exploit in question lies within the way in which Outlook handles emails that contain HTML. The code is handled with little safety precaution, allowing code to be executed, embedded through HTML, which allows the worm to utilise the "Scriptlet.Typelib" exploit.
This exploit allows for the creation of local files, through HTML and embeddable languages. The worm uses this in order to create a HTA file, called "update.hta", which contains the code for the worm. It is placed within the Windows startup folder, allowing for it to be executed upon startup. The path "C:\Windows" is hard-coded, and thus installing Windows in any non-default location, will cause the worm to be unable to execute/spread. The worm is then able to access Outlook's address book raising little or no suspicion to the user, to distribute infected emails. This is doing in a similar way to Melissa.
The message sent has the subject line of "BubbleBoy back!", containing the body:
- The BubbleBoy incident, pictures and sounds
This is along with the worm's own code.
To prevent suspicion by sending multiple messages, the worm adds a registry key to ensure that duplicate messages are not sent, which is as follows:
- "HKEY_LOCAL_MACHINESoftwareOUTLOOK.BubbleBoy" = "OUTLOOK.BubbleBoy 1.0 by Zulu"
After the worm has executed, it shows a message recommending for the user to delete update.hta. Of course, by this point, the worm has been sent to all email addresses found on the Outlook address book. The message reads as follows:
- System error, delete "UPDATE.HTA" from the startup folder to solve this problem.
Additionally, the worm changes the registration data of the computer, as follows:
- RegisteredOwner = "BubbleBoy"
- RegisteredOrganization = "Vandelay Industries"
- Kaspersky Threats, Email-Worm.VBS.BubbleBoy