From:	"Leona" <leona AT solaseireann DOT com>
Newsgroups:	alt.comp.perlcgi.freelance,alt.freewebhosting,alt.html.critique,comp.os.msdos.djgpp
References:	<7vgr8g$iel$1 AT tron DOT sci DOT fi> <34UeOP1V1CvfYM8a+7LxX8dQ+AV6 AT 4ax DOT com> <382BC4F4 DOT ED174896 AT geocities DOT com> <382c7d3d AT newsprime DOT tidalwave DOT net> <80ki41$a6e$1 AT supernews DOT com>
Subject:	Re: 4 VIRUS ALERTS!
Date:	Tue, 16 Nov 1999 10:10:22 -0800
Lines:	51
X-Priority:	3
X-MSMail-Priority:	Normal
X-Newsreader:	Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE:	Produced By Microsoft MimeOLE V5.00.2314.1300
NNTP-Posting-Host:	ppp-24-8.tidalwave.net
Message-ID:	<3831729e@newsprime.tidalwave.net>
X-Trace:	16 Nov 1999 10:05:02 -0500, ppp-24-8.tidalwave.net
To:	djgpp AT delorie DOT com
DJ-Gateway:	from newsgroup comp.os.msdos.djgpp
Reply-To:	djgpp AT delorie DOT com

okay so this came to the military yesterday:

COMMAND SECURITY MANAGER SENDS:
A dangerous new virus has been confirmed, and it is able to destroy
information even when users do not open MS Outlook messages or attachments.
The "Bubble Boy" will insert the file "UPDATE.HTA" into your computer as
soon as the e-mail carrying it is opened. Effectively immediately, all users
will take three actions:
First, discontinue use of "preview pane" in MS Outlook.
Second, download the Microsoft patch from the Quantico G-6 ISMO Security
page.
Third, conduct a "search and destroy" of your computer files for
"UPDATE.HTA" and if found, delete it. If you see an e-mail with: "Subject:
Bubbleboy is back! the Bubbleboy incident, pictures and sounds." delete it
immediately.

As always, users should have the latest Norton anti-virus with updates
installed.

-----------------

T&E Div,

We have been informed of a new Virus that is circulating around the
Internet. I have included the fix for Outlook. It is still required that you
or your ISC ensure that download the current virus definition files for your
Virus software. I have included an excerpt of the Virus Report. To ensure
that you have not been infected search your hard drive for the UPDATE.HTA.
If you have any questions, your ISC's will be able to assist you.
In MS Outlook, this worm requires that you "open" the email. It will not run
if using "Preview Pane".
In MS Outlook Express, the worm is activated if "Preview Pane" is used!
After the VB Script executes, it writes the file UPDATE.HTA to the local
machine and during the next Windows startup, the .HTA file is invoked.
The
UPDATE.HTA file is coded to do the following-
* Change the registered owner via the registry to "BubbleBoy"
* Change the registered organization to "Vandelay Industries"
* Send itself embedded in an email message to EVERY contact in EVERY EMAIL
ADDRESS BOOK of MS Outlook
* Sets the registry key to indicate that the email distribution has
occurred. (Email distribution will not be repeated.)
The email is a message with the following information:
From: (person who sent worm unintentionally)
Subject: BubbleBoy is back!
Message Body: The BubbleBoy incident, pictures and sounds
Sgt James D Bingham
 <<q240308.exe>>

- Raw text -