About Tariq Tariq Hilal Al

‘Bubbleboy is Back’- but computer-users advised not to panic

MUSCAT- A local computer expert has warned computer users here not to open or preview any message with the subject line ‘Bubbleboy is back’ which hosts the ‘Bubbleboy’ virus, a new deadly e-mail virus that can destroy information even when users do not fully open their messages.

Giving layman tips on how to burst the ‘bubbleboy’ which is the first known e-mail virus that does not even need to be fully opened to be activated, Oman’s popular webmaster, Tariq Hilal AlBarwani said: “for this virus, a user need not open or preview any message with the subject line ‘Bubbleboy is back’. Also, to ensure future privacy and protection, I would highly recommend users to use special e-mail anti-virus programmes and to keep up with the updates.”

Asking users not to press the Panic button regarding the ‘Bubbleboy’, Tariq noted that this virus could easily be recognized by its subject line, ‘Bubbleboy is Back’. And thus, this itself was enough for it could be readily seen or understood by its subject line.”

“This new deadly virus is different to other well-known viruses such as the Melissa, for it dose not require the user to click on an e-mail attachment in order to effect the personal computer (PC),”Tariq said.

“In fact, it runs as soon as an outlook user opens an infected e-mail or even when an outlook express user preview a message, causing serious damages to the system, for example deleting files and programs from the effected PC.”

The virus after being executed changes the victim’s computer’s registered owner to ‘Bubbleboy’, and the users ‘company information is changed to “vandelay industries” and “Soup Nazi” also appears in the source code.

This virus requires the user to be running Microsoft’s Outlook Express e-mail program, Windows 95, 98 or the 2000 and Internet Explorer 5.0 or higher. “Its basically targets a hole which Microsoft already has a patch or an update. Yet, many users are not aware of the patch,” Tariq noted.

Another well-known computer expert in town, Hemang shah noted that an apt solution was to “publish the subject with which it could be spread. If you don’t click on the message, it would not be activated. Moreover, if you delete that file before you restart the PC, even then it won’t send the e-mail to everyone.”

However, shah added that it does not destroy information in the e-mail. “It passes the e-mail to every user in all your address book. No information is destroyed. Moreover this happens only once,” he said.

However, he was of the opinion that the virus-infected e-mail has to be opened to be activated.

“It does have to be opened, like in outlook, if your preview pane option is not enabled, only if you explicitly open the e-mail will the virus infect. Basically you have to read the contents of the mail (open it).

So, you either open it explicitly or it opens automatically in your preview pane in Outlook Express.” It also takes every address in a computer’s e-mail program and passes the virus along, he said. “It scans for all address book in the local machine and passes the worm along. The virus affects computers with Windows’98, Windows 2000 and some versions of Windows’95. Moreover, these computers should have IE 5.0 and Windows Scripting Host enabled.”

The Microsoftâ Windows Scripting Host (WSH) is a language-independent scripting host for 32-bit Windows platforms.

As how the user could know that a particular e-mail massage contains a virus, shah noted that it has a method of infection. “This worm creates the files “UPDATE.HTA” in the “C:\windows\start\menu\programs\startup” folder. Upon windows startup or restart, the worm code is invoked. After the VB Script executes, it writes the file UPDATE.HTA to the local machine and during the next Windows startup, the .HTA file is invoked. The UPDATE.HTA file is codes to do the following-

Change the registered owner via the registry to ‘bubbleboy’
Change the registered organization to ‘vandelay Industries’
Send itself embedded in an e-mail message to every contact in every e-mail address book of the MSN Outlook
Sets the registry key to indicate that the e-mail distribution has occurred. (e-mail distribution will not be repeated.)

Another web enthusiast, Vivin pliath, who is based in Tempe, Arizona, had this to say about Bubbelboy: “this virus in not completely universal in its infection. It cannot affect computers that check mail through Hotmail, yahoo, excite or any web based mail server. It only affects computers running IE5 and that check mail using Outlook Express.

“It runs from HTML enabled mail and is encoded in VBScript. There is another .b variant that is encrypted.”

However. pliath played down the risk factor that is posed by the virus. “This (virus) is addressed as low risk. I haven’t heard of anything being damaged as a result of this virus …but, the point is, who wants a virus?”

Back