November 9, 1999 3:15 PM PST

New, fast-spreading email virus found

A virulent new kind of computer virus triggered simply by opening an infected email message has been identified, antivirus researchers said today.

The virus, dubbed "Bubbleboy," apparently hasn't yet made it onto the open Internet, which means researchers haven't heard of any computers being infected. But a version of the program was mailed anonymously to researchers last night, indicating a high potential for future infections.

The virus strikes a Seinfeld theme, changing the victim's computer's registered owner to "Bubbleboy," a reference to an episode of the former popular TV show. There are other references to the show in the program: Users' company information is changed to "Vandelay Industries," and "Soup Nazi" also appears in the source code.

It appears in mailboxes with a subject line "Bubbleboy is back," researchers said.

The virus marks a dangerous step forward in the trend of using email to attack remote computers, researchers say. As with several earlier similar fast-spreading viruses, it takes advantage of security holes in Microsoft Outlook email software to run an unauthorized program on victims' computers, changing information and emailing itself to new targets.

Those viruses need a user to click on an email "attachment" in order to be triggered, however. By contrast, Bubbleboy runs as soon as an Outlook user opens an infected email, or even when an Outlook Express user previews a message.

"If this got into the wild, it would spread incredibly quickly," said Dan Schrader, an antivirus researcher with Trend Micro. "This would make Melissa look slow."

Melissa was successful largely How Bubbleboy works because it automatically sent copies of itself to unsuspecting users via Outlook. Antivirus software initially failed to detect the virus, although Melissa ultimately proved a financial bonanza for antivirus companies. Fears of an even more quickly spreading threat could prompt another surge in antivirus software sales.

The new virus requires a user to be running Microsoft's Outlook email program, Windows 95, 98, or 2000, and Internet Explorer 5.0 or higher. It targets a security hole for which Microsoft has already created a fix, but which many users still have yet to use, researchers say.

Microsoft did not have a comment on the virus by press time.

The development marks a dangerous--if widely predicted--step in virus technology, researchers say. Nevertheless, Bubbleboy itself is relatively benign, aside from its mass email effects.

But more malicious programs, carrying effects such as deleting files or programs from a victim's computer, could also theoretically be included in this kind of virus.

This style of virus could also be used for more targeted attacks, researchers said. This could include sending programs designed to do specific tasks--such as emailing the contents of an inbox to a third party--to a specific individual.

"We used to say that as long as you didn't open an email attachment from someone you don't know, you were fine," said Sal Viveros, group marketing manager for the antivirus division of Network Associates. "Now we've come to the point where you must use antivirus protection if you're going to use email."

The patch provided by Microsoft will protect users from this version of Bubbleboy. Antivirus software that scans emails as they come through an ISP or corporate network will also stop the program, as soon as the antivirus companies finish their analysis and update their programs with a filter.

Researchers at Network Associates say they suspect the same author who created the recent VBS.Freelink attack. Viveros said his company notified Microsoft and the Federal Bureau of Investigation last night.

The companies stress that it is still a potential, rather than an imminent, threat.

"We have not seen any instances of infection at all," Trend Micro's Schrader said. "This is not something that people should be panicking over. But it is kind of scary."

2 comments

Join the conversation!
Add your comment
I am no computer tech, but I have received an email with a link to a supposed video on msn.com titled the bubble. I did not open it because that was the only thing in the body of the message and is was very unlike the the sender to send just a link with no description. Since then over the past few days I am receiving several emails a day with different links in them from the same sender as well as another person who is connected to to original. They are both infected with a self emailing virus (unknown name and origin) Could this be the bubble boy? And who should I report this to as I am clueless.
Posted by pitdog798 (1 comment )
Reply Link Flag
I received an email yesterday (on AOL) It was from me (?) at my Yahoo email address, which I rarely use. The subject line had some kind of link in it. I thought maybe Yahoo was sending me a message saying I should close the account for lack of activity or something like that. But, when I clicked on it, I got a huge message from my anti-virus program that said "VIRUS DETECTED...AVG has prohibited the opening of this file. It is infected!" The weird thing is, in the "sent to" line of the message, it also had the names of some of my other email contacts. Then, today, I got two emails at my Hotmail address from a friend I hadn't heard from in over a year. I was suspicious, as the subject line said "No subject" and I'd already had the Yahoo mail experience. So, before I opened them, I contacted him and asked if he'd sent me any emails. He had not. Like the other one, these also had some of the names of my other contacts in the "sent to" line. Maybe, it's just something to do with my individual computer, but just wanted to pass the information along, in case anyone else gets suspicious emails like this. : )
Posted by marytaylor0103 (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.