From: "Leona" Newsgroups: alt.comp.perlcgi.freelance,alt.freewebhosting,alt.html.critique,comp.os.msdos.djgpp References: <7vgr8g$iel$1 AT tron DOT sci DOT fi> <34UeOP1V1CvfYM8a+7LxX8dQ+AV6 AT 4ax DOT com> <382BC4F4 DOT ED174896 AT geocities DOT com> <382c7d3d AT newsprime DOT tidalwave DOT net> <80ki41$a6e$1 AT supernews DOT com> Subject: Re: 4 VIRUS ALERTS! Date: Tue, 16 Nov 1999 10:10:22 -0800 Lines: 51 X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 NNTP-Posting-Host: ppp-24-8.tidalwave.net Message-ID: <3831729e@newsprime.tidalwave.net> X-Trace: 16 Nov 1999 10:05:02 -0500, ppp-24-8.tidalwave.net To: djgpp AT delorie DOT com DJ-Gateway: from newsgroup comp.os.msdos.djgpp Reply-To: djgpp AT delorie DOT com okay so this came to the military yesterday: COMMAND SECURITY MANAGER SENDS: A dangerous new virus has been confirmed, and it is able to destroy information even when users do not open MS Outlook messages or attachments. The "Bubble Boy" will insert the file "UPDATE.HTA" into your computer as soon as the e-mail carrying it is opened. Effectively immediately, all users will take three actions: First, discontinue use of "preview pane" in MS Outlook. Second, download the Microsoft patch from the Quantico G-6 ISMO Security page. Third, conduct a "search and destroy" of your computer files for "UPDATE.HTA" and if found, delete it. If you see an e-mail with: "Subject: Bubbleboy is back! the Bubbleboy incident, pictures and sounds." delete it immediately. As always, users should have the latest Norton anti-virus with updates installed. ----------------- T&E Div, We have been informed of a new Virus that is circulating around the Internet. I have included the fix for Outlook. It is still required that you or your ISC ensure that download the current virus definition files for your Virus software. I have included an excerpt of the Virus Report. To ensure that you have not been infected search your hard drive for the UPDATE.HTA. If you have any questions, your ISC's will be able to assist you. In MS Outlook, this worm requires that you "open" the email. It will not run if using "Preview Pane". In MS Outlook Express, the worm is activated if "Preview Pane" is used! After the VB Script executes, it writes the file UPDATE.HTA to the local machine and during the next Windows startup, the .HTA file is invoked. The UPDATE.HTA file is coded to do the following- * Change the registered owner via the registry to "BubbleBoy" * Change the registered organization to "Vandelay Industries" * Send itself embedded in an email message to EVERY contact in EVERY EMAIL ADDRESS BOOK of MS Outlook * Sets the registry key to indicate that the email distribution has occurred. (Email distribution will not be repeated.) The email is a message with the following information: From: (person who sent worm unintentionally) Subject: BubbleBoy is back! Message Body: The BubbleBoy incident, pictures and sounds Sgt James D Bingham <>