Bubbleboy Facts
Marius van Deventer
the concept that it proves. It is now possible to execute a virus without
having to manually open it. previously no one thought it would ever
happen.
The problems you describe are valid but i think it will be nothing for a
skilled virus writer to overcome them. No doubt the next slew of
microsoft "innovations" will help them no end.
Its not what this virus can do that scares everyone, its what it might
lead to.
Jack wrote:
> Having examined the source code for both *.eml and *.msg it would
> seem that this so-called Bubbleboy relies solely on the new *.hta
> file format which only applies to IE5. It uses a 3 month old exploit
> that installs the *.hta file in your start-up folder. Only after
> re-boot does this *.hta file install and run the VBS script contained
> within it.
>
> The exploit is old and patches have long since been issued. The *.hta
> file format only works with IE5. To send it to the start-up folder
> requires that the instructions be language specific i.e.
>
> C:\WINDOWS\START MENU\PROGRAMS\STARTUP\UPDATE.HTA
>
> Is not going to work an a French computer or Japanese or Italian etc.
> No computer that doesn't have IE5 + English settings (although the
> author's made a Spanish version).
>
> There are a number of other variables that make this a dud. What is a
> real shame is the AV vendors and press blowing this totally out of
> proportion.
>
> Shame on you.
cj...@my-deja.com
> True. However it's not bubbleboy itself that is alarming everyone.
It's
> the concept that it proves. It is now possible to execute a virus
without
> having to manually open it. previously no one thought it would ever
> happen.
This is not quite true. Previously there had not been any proven cases.
But most AVers knew that it was possible. At the VB99 conference, there
was even a presentation about such dangers.
> The problems you describe are valid but i think it will be nothing for
a
> skilled virus writer to overcome them. No doubt the next slew of
> microsoft "innovations" will help them no end.
:-)
> Its not what this virus can do that scares everyone, its what it might
> lead to.
The original poster does indeed miss the point.
Check back to 4 years ago...
"It's OK to exchange documents. Ooops, sorry."
Now...
"Just as long as you don't double-click on the attachment. Oops,
sorry."
Or, "The Concept virus does nothing. All you have to do is place a
Payload macro in your documents."
It's not about the virus. It's about the change this thing will have on
our future and years from now when we look back and say, "Remember when
you could just download and read your email with no worries?"
I congratulate you if you have a secure setup for yourself. I'm
thinking about going back to my UNIX system and using "mail" again. But
I wouldn't be thinking of that if not for this. And you and everyone
else now has to *think* about these concerns as something real now, not
as a theoretical point.
Jimmy
jk...@nai.com
> Jack wrote:
>
> > Having examined the source code for both *.eml and *.msg it would
> > seem that this so-called Bubbleboy relies solely on the new *.hta
> > file format which only applies to IE5. It uses a 3 month old exploit
> > that installs the *.hta file in your start-up folder. Only after
> > re-boot does this *.hta file install and run the VBS script
contained
> > within it.
> >
> > The exploit is old and patches have long since been issued. The
*.hta
> > file format only works with IE5. To send it to the start-up folder
> > requires that the instructions be language specific i.e.
> >
> > C:\WINDOWS\START MENU\PROGRAMS\STARTUP\UPDATE.HTA
> >
> > Is not going to work an a French computer or Japanese or Italian
etc.
> > No computer that doesn't have IE5 + English settings (although the
> > author's made a Spanish version).
> >
> > There are a number of other variables that make this a dud. What is
a
> > real shame is the AV vendors and press blowing this totally out of
> > proportion.
> >
> > Shame on you.
Sent via Deja.com http://www.deja.com/
Before you buy.
Doug Wheeler
news:382A6DBE...@nospam.illovo.co.za...
> True. However it's not bubbleboy itself that is alarming everyone. It's
> the concept that it proves. It is now possible to execute a virus without
> having to manually open it. previously no one thought it would ever
> happen.
It's only due to a bug (that's long been fixed) in an ActiveX control that a
script is able to create a new file on the users computer. With the fixed
ActiveX control, there is no longer any possibility of another script doing
this same type of thing.
--Doug
Enforcer
real issue.
right thats my 2 pence spent
ViSaGe
Jack <756373323...@756373.636F6D.7477> wrote in message
news:CFEW3.8481$Gk1....@news1.rdc1.sdca.home.com...
> Well, you are both wrong. The virus is not executed by opening or
> previewing an email message. Again, all that does is install the
> *.hta which contains the VBS. Only after rebooting will the script
> run (execute the virus). This provided that the recipient has (a)
> win98, (b) has WSH active (c)uses IE5 (c) uses an unpatched IE5 (d)
> has all scripting active in IE5 (e) uses IE5 and OE5 or Outlook (f)
> has the same language settings as the code to install the *.hta (g)
> reboots his computer.
>
> There are 7 requirements to allow this to succeed. Quite different
> from Cnet:
>
> "...By contrast, Bubbleboy runs as soon as an Outlook user opens an
> infected email, or even when an Outlook Express user previews a
> message."
>
> Interestingly enough the actual virus was emailed to:
>
> From: "Jimmy Kuo" <jk...@nai.com>
> To: <jk...@nai.com>
>
> Here's what the recipient's company product manager has to say:
>
> "We used to say that as long as you didn't open an email attachment
> from someone you don't know, you were fine," said Sal Viveros, group
> marketing manager for the antivirus division of Network Associates.
> "Now we've come to the point where you must use antivirus protection
> if you're going to use email."
>
> We have come to a point where we must use antivirus protect if we're
> going to use email.
>
> Nevertheless, your so-called "proof of concept" is meaningless. In
> March of 1999 a full working example of the of this so-called "proof
> of concept" was posted in the Microsoft newsgroups. It sufficiently
> startled Microsoft enough that they installed Inoculan to monitor
> their newsgroups. While the working example was not viral (it used
> the eicar string), the results proved more effective and in less
> steps than the one you are now crowing about.
>
> Embedding everything in html has been going on for over 4 years now.
> It is not new and frankly it is easier to embed an *.exe and run it
> in either news or mail than it is to rely on a bug that has long
> since been addressed. There are a number of possibilities to use the
> *.hta to achieve the same effect outside relying on this particular
> exploit. However it's most doubtful "a skilled virus writer" will
> ever realise this.
>
> I don't think the original poster misses point. The original poster
> has a better understand of this than you think. The only benefit out
> of this hoopla is that everyone will install the IE5 patch and not
> run out to buy your antivirus software.
>
> The idea to revert to Unix mail because of this transparent. Hey,
> here's a better idea, why don't you continue to use OE5 or Outlook
> and instead buy some antivirus software.
>
> Shame on you.
>
>
> <cj...@my-deja.com> wrote in message
> news:80f0k7$4vb$1...@nnrp1.deja.com...
> : Marius van Deventer <mvdev...@nospam.illovo.co.za> wrote:
> : > True. However it's not bubbleboy itself that is alarming
> everyone.
> : It's
> : > the concept that it proves. It is now possible to execute a virus
> : without
> : > having to manually open it. previously no one thought it would
> ever
> : > happen.
> :
> : This is not quite true. Previously there had not been any proven
Mirage
> Interestingly enough the actual virus was emailed to:
>
> From: "Jimmy Kuo" <jk...@nai.com>
> To: <jk...@nai.com>
>
I noticed that too in the source I have.
Received: from postino2.trend.com.ru ([221.78.7.102]) by trend18.admin with
Microsoft SMTPSVC(5.5.1877.357.35);
Thu, 4 Nov 1999 19:30:20 -0300
Received: from relay.jkuo.com (relay.jkuo.com [173.42.69.5])
by postino2.trend.com.ru (8.9.1a/8.9.1) with ESMTP id SAA04436
for <vx_...@kuonai.com.ru>; Thu, 4 Nov 1999 19:32:44 -0300 (ART)
Received: from PROXY (smtp.jkuo.com [222.37.83.204])
by relay.jkuo.com (8.9.3/8.9.3) with ESMTP id SAA05637
for <vx_...@kuonai.com.ru>; Thu, 4 Nov 1999 19:35:12 -0300
Received: from jimmykuo - 202.35.168.12 by jkuo.net with Microsoft SMTPSVC;
Thu, 4 Nov 1999 19:29:28 -0300
From: "Jimmy Kuo" <jk...@nai.com>
To: <jk...@nai.com>
Subject: BubbleBoy is back!
Date: Thu, 4 Nov 1999 19:34:22 -0300
Message-ID: <000501bf2573$17832280$0d0cfea9@jimmykuo>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0001_01BF2559.F21D8080"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Return-Path: jk...@nai.com
CJ
that don't update their browsers etc....
companies full of people who have IE5 and OE5 on their machine becuase that
is what was set up for them, and they don't know anything about such
virus's... and they will get something like this and there you go - they
wont think to go looking for update.hta after opening the email.
cj
cj...@my-deja.com
But he places much too many instances of my name in the headers. I
can't possibly own that many domains. :-)
Notice Zulu likes Trend also. :-)
In case I need to actually say it, the ids are forged.
Jimmy
jk...@nai.com
Raid Slam
<756373323...@756373.636F6D.7477> wrote:
> Certainly is a bit odd. While the normal course of traffic is quite
> clear, looks like the recipient sent it through his own private
> smtp server to himself. Although we do see Trend featuring in there is
> well.
Gawd, I hope you don't try brain surgery.
> What's really curious is how the author Zulu got a hold of this.
> After all this is the same source code as found on his website.
Erm, Clueless idiot... Because, Zulu is bubbleboy's author. He sent it
anon to some avers; He shouldn't have, As you see; they've blown it way
out of proportion.
> Didn't all the news reports say that this was sent anonymously to
> the antivirus companies?
> How in the world does this internal email then end up back on the
> virus author's website. Most bizarre. I am sure there is a reasonable
> explanation for it.
Read above.
And quit trying to be a detective, you fucking suck at it.
Regards,
Raid [SLAM]
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
sami...@bix.com
On Fri, 12 Nov 1999 02:33:32 GMT Jack of 24.2.9.71 wrote this re Re:
Bubbleboy Facts:
>Certainly is a bit odd. While the normal course of traffic is quite
>clear, looks like the recipient sent it through his own private smtp
>server to himself. Although we do see Trend featuring in there is
>cents to the press.
>
>What's really curious is how the author Zulu got a hold of this.
>After all this is the same source code as found on his website.
>antivirus companies?
>
>How in the world does this internal email then end up back on the
>virus author's website.
>
>Most bizarre. I am sure there is a reasonable explanation for it.
Scott
"In Germany they came first for the Communists, and I didn't speak up
because I wasn't a Communist. Then they came for the Jews, and I didn't
speak up because I wasn't a Jew. Then they came for the trade unionists,
and I didn't speak up because I wasn't a trade unionist. Then they came for
Catholics, and I didn't speak up because I was a Protestant. Then they came
for me, and by that time no one was left to speak up." - M. Neimoller
sami...@bix.com
On Fri, 12 Nov 1999 08:04:31 GMT cjkuo of Deja.com - Before you buy. wrote
this re Re: Bubbleboy Facts:
Zulu
Jack:
> looks like the recipient sent it through his own private
smtp server to himself
> How in the world does this internal email then end up
back on the virus author's website.
Hehehe, it was really funny to read this.
You know, MSG and EML as well as any other files can be
edited. :)
Jimmy:
> Apparently Zulu likes me.
> But he places much too many instances of my name in the
headers. I can't possibly own that
> many domains. :-)
Hahaha, more funny things. :)
Your name in the code not means that, it means something
about a ZDNet article.
> Notice Zulu likes Trend also. :-)
Hehe, you don't imagine in how many computers I deleted PC
Cillin when I saw that awfull
thunder in the systray. :)
Then when I'm going, in the systray they have some kind of
shield (hehe, not Vshield) or a logo
of a black V letter in a grey background with a red check
mark. :)
Raid:
> Because, Zulu is bubbleboy's author. He sent it anon to
some avers; He shouldn't have,
> As you see; they've blown it way out of proportion
Hi Raid. Yes, you may be right, I didn't expected so much
of a worm that uses a bug patched
time ago.
Zulu
--
www.cotse.com - Anonymous USENET posting made easy!
Raid Slam
<anon...@cotse.com> wrote:
> Hi Raid. Yes, you may be right, I didn't expected so much
> of a worm that uses a bug patched time ago.
It's an interesting worm tho. We've taken 7 technical support calls
regarding it this morning, and 4 yesterday. No actual infections
reported, only concerns.
I must also mention, that if the antivirus companies wouldn't have
sounded such a panic attack (sales must be dropping again) that we
probably wouldn't have been contacted by so many worried users. None of
the contacts so far were actually infected with it, they wanted more
information regarding it. Either they heard about it from a friend, or
an antivirus company (I'll leave the names out of it) sent them a
letter telling them of a new deadly virus that travels in your email.
We only took 2 phone calls regarding the Toadie virus. (Was hard for me
to keep from laughing as the person explained his/her dilemma). But,
those were actual infections. (It was interesting working on a PC that
a virus of mine had traveled too) - No, I didn't infect the machine; it
was brought in for repair due to viral infection.
Anyways, It's a unique little virus; And I suspect if you had spread it
a bit, it would get wild. For every person who does pay attention and
update with patches, you'll find atleast 100 idiots who don't.
cj...@my-deja.com
> Jimmy:
> > Apparently Zulu likes me.
> > But he places much too many instances of my name in the
> headers. I can't possibly own that
> > many domains. :-)
> Hahaha, more funny things. :)
> Your name in the code not means that, it means something
> about a ZDNet article.
I don't know which article you are talking about. Could you give me a
reference?
Jimmy
Patrick Nolan, AVERT
"translation of information" for the details to get mucked up. In saving
head line space, technical details can be omitted thereby causing panic. AV
is correct to alert on such an exploit. I make no judgement on those in the
press.
--
Patrick Nolan
Sr Virus Support Analyst
AVERT - a division of nai
Raid Slam wrote in message <000b8d9b...@usw-ex0101-002.remarq.com>...
Zulu
For cjkuo:
"There are techniques for attacking directly -- without
needing the user to open an attachment," said NAI's
Kuo. "Such (Melissa-like) viruses are not out of the
picture yet."
I mean that. :)
Anyways don't feel guilty, the idea and the method was in
my mind before reading that. :)
Two messages is much nntp for me, I'm not used to post on
usenet, I better stop. :)
Zulu Shaka
Aló estafador,
Él no es el Zulu verdadero porque su inglés es débil. El
Zulu verdadero no escribe como el mono de esta persona. Su
inglés es muy bueno y usted puede verlo en sus
paginaciones. Este imposter hace el mockery usted y el Zulu
de verdadero. Incluso el gran raid es truco apenas para
considerar su nombre. Está tan el cujo, apenas considerar
su nombre. Es muy divertido ver esto.
Le esperamos estrangulación en nuestro español porque es
como verdadero es el guerrero de Zulu.
Adiós Bye =]
>>>>>in the code not means that,<<<<<< :(
>>>>>you don't imagine in how many computers <<<<<< :(
>>>>>worm that uses a bug patched time ago.<<<<<< :(
>>>>>Two messages is much nntp for me<<<<<< :(
Not in the wild and never spreaded. Unless someone says
that public
download telling that is a virus is spreading. Long
discussion anyways.
Zulu
mirc/network/outlook/pirch worm would be more specific. :)
Zulu
If you mean viable platform for viruses, I don't think so,
people are
not sending VBS files between them. Only worm or a virus
with worm
capabilities I think it could be really spread.
Last month the wildlist had the first VBS worm,
VBS.Freelinks,
cj...@my-deja.com
> "There are techniques for attacking directly -- without
> needing the user to open an attachment," said NAI's
> Kuo. "Such (Melissa-like) viruses are not out of the
> picture yet."
Ai caramba!
Sabia que esa declaracion no era inteligente.
> I mean that. :)
> Anyways don't feel guilty, the idea and the method was in
> my mind before reading that. :)
The method was obvious with all the IE security holes. :-(
> Two messages is much nntp for me, I'm not used to post on
> usenet, I better stop. :)
Gracias por contestando a mi pregunta.
Raid Slam
<patric...@nai.com.nospam> wrote:
> Antivirus companies can report accurate information - leave it to
> "translation of information" for the details to get mucked up. In
> saving head line space, technical details can be omitted thereby >
causing panic. AV is correct to alert on such an exploit. I make no >
judgement on those in the press.
Antivirus companies (certain ones) seem to have an offly hard time
reporting accurate information to the media. You'd think after knowing
for some time that the media might muddle up your descriptions, that
you'd take an extra effort in writing them. And ensuring they are
printed properly.
Technical details when it concerns a virus should not be ommitted; This
is not an excusable item. A virus is by it's very nature, a technical
related item. Skipping/removing those details does cause unrequired
panic, and a sales boost for the antivirus industry.
While AV is correct to alert on such a thing, they are not correct to
discuss it with the media; without first ensuring the media will print
the correct information.
Regards,
Raid [SLAM]
Postz
the facts seem to be all present in this newsgroup. I'm thinking it may
be a good plan to create a Bubbleboy FAQ to answer all the popular
questions that will appear over and over again. I'm posting it in this
thread because this is where the expertise seems to be, to check the
story, maybe add items or even suggest answers.
Interested?
Obvious questions could be:
*What is it?
*What can it do?
*Is it dangerous?
*What does it need? (the security bug)
*How can you tell if your system is vulnerable?
*What can you do about it?
*Can we expect future dangerous mutations?
-References
-Possibly more detailed information.
I'm a technical writer, not a virus expert. What I want to do is present
answers to these questions in an understandable way and separate fact
from fiction. Any input that can help me do it is appreciated. That is,
if there is interest in such a thing.
Paul
--
Hi! I'm a signature virus!! Copy me into your .signature file to help me
spread!