November 9, 1999 3:15 PM PST
New, fast-spreading email virus found
The virus, dubbed "Bubbleboy," apparently hasn't yet made it onto the open Internet, which means researchers haven't heard of any computers being infected. But a version of the program was mailed anonymously to researchers last night, indicating a high potential for future infections.
The virus strikes a Seinfeld theme, changing the victim's computer's registered owner to "Bubbleboy," a reference to an episode of the former popular TV show. There are other references to the show in the program: Users' company information is changed to "Vandelay Industries," and "Soup Nazi" also appears in the source code.
It appears in mailboxes with a subject line "Bubbleboy is back," researchers said.
The virus marks a dangerous step forward in the trend of using email to attack remote computers, researchers say. As with several earlier similar fast-spreading viruses, it takes advantage of security holes in Microsoft Outlook email software to run an unauthorized program on victims' computers, changing information and emailing itself to new targets.
Those viruses need a user to click on an email "attachment" in order to be triggered, however. By contrast, Bubbleboy runs as soon as an Outlook user opens an infected email, or even when an Outlook Express user previews a message.
"If this got into the wild, it would spread incredibly quickly," said Dan Schrader, an antivirus researcher with Trend Micro. "This would make Melissa look slow."
Melissa was successful largely because it automatically sent copies of itself to unsuspecting users via Outlook. Antivirus software initially failed to detect the virus, although Melissa ultimately proved a financial bonanza for antivirus companies. Fears of an even more quickly spreading threat could prompt another surge in antivirus software sales.
The new virus requires a user to be running Microsoft's Outlook email program, Windows 95, 98, or 2000, and Internet Explorer 5.0 or higher. It targets a security hole for which Microsoft has already created a fix, but which many users still have yet to use, researchers say.
Microsoft did not have a comment on the virus by press time.
The development marks a dangerous--if widely predicted--step in virus technology, researchers say. Nevertheless, Bubbleboy itself is relatively benign, aside from its mass email effects.
But more malicious programs, carrying effects such as deleting files or programs from a victim's computer, could also theoretically be included in this kind of virus.
This style of virus could also be used for more targeted attacks, researchers said. This could include sending programs designed to do specific tasks--such as emailing the contents of an inbox to a third party--to a specific individual.
"We used to say that as long as you didn't open an email attachment from someone you don't know, you were fine," said Sal Viveros, group marketing manager for the antivirus division of Network Associates. "Now we've come to the point where you must use antivirus protection if you're going to use email."
The patch provided by Microsoft will protect users from this version of Bubbleboy. Antivirus software that scans emails as they come through an ISP or corporate network will also stop the program, as soon as the antivirus companies finish their analysis and update their programs with a filter.
Researchers at Network Associates say they suspect the same author who created the recent VBS.Freelink attack. Viveros said his company notified Microsoft and the Federal Bureau of Investigation last night.
The companies stress that it is still a potential, rather than an imminent, threat.
"We have not seen any instances of infection at all," Trend Micro's Schrader said. "This is not something that people should be panicking over. But it is kind of scary."
2 commentsJoin the conversation! Add your comment