Possible Virus Attack Via TB2000 - Please Read

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread

I'm not sure, but right now it's about the only explanation that makes sense. Unfortunately, I deleted the file before I read up on the virus, and wish I had forwarded it to one of the anti-virus companies first to see if they could figure out how it was delivered.

Yesterday, out of curiousity, I ran the free virus scan from Trend Micro at www.housecall.antivirus.com to see how it worked, in case I wanted to recommend it to some clients. I work at a small pc computer services company, on a NT lan using IE & Outlook, access via a proxy server. After running the scan, it identified VBS_Bubbleboy located in my temporary internet files c:\windows\temporary internet\content.IE5\BEHDYUC\q-and-a.htm

Apparently, it had not triggered, so it's payload was never sent out. I verified this with some of my clients that are in my address book. Now normally, VBS_Bubbleboy is distributed via e-mail, similar to melissa, but our e-mail is scanned prior to distribution at the server, and even then we have a company policy of "if you don't know what it is, don't open it". It has also been distributed via some newsgroups when outlook is used as your news reader, but as I'm going through a proxy, I can't access usenet newsgroups, the way we have our system configured. I also am not using outlook to read the post here. After scratching our heads and verifying none of our other machines were infected, we were at a loss to explain how my lone machine picked up the payload, but were grateful it didn't launch itself.

Why it was in my temporary internet files was a puzzle, as well as why it was in a file called q-and-a.htm... until a few minutes ago lurking here I looked at the address bar... www.greenspun.com/bboard/q-and-a.....

Would others here try the housecall.antivirus.com site and scan their machines? If there are more users here that have picked it up, then on one of the threads or links here some troll has found a new way to distribute VBS-Bubbleboy, although unsuccessfully, unless it was rigged with a date trigger, which would be another modification to the original virus.

Let me know if you find it on your machine too. Apparently it is only effective against windows machines, and outlook, at least the original form. This is bugging the sh*t out of me.

-- C (c@c.com), December 22, 1999

Answers

to the top for those lounging in the new answers...

-- C (c@c.com), December 22, 1999.

Details please, if possible.

Don't know how that could happen from here.

Ideas?

E-mail the Sysops at: y2ktimebomb2000@yahoo.com (no attachments please) 'cause we won't open 'em.

;-D

Diane

-- Diane J. Squire (y2ktimebomb2000@yahoo.com), December 22, 1999.


I just scanned and my computer is clean.

However, for the last week or so, I have been checking any links in the threads with my mouse for .htm, .html, etc before clicking on them. If it doesn't look like a normal viewing link, I pass. IMHO, too dangerous to anything else for the next month.

Just my 2 cents, but I really wish posters would pass on the graphics and sounds and just stick to text until we at least get through the rollover.

-- John (jh@NotReal.ca), December 22, 1999.


Just scanned my computer with "Norton AntiVirus". No viruses found

-- thinkIcan (thinkIcan@make.it), December 22, 1999.

I tried housecall.antivirus.com; and it said "unable to locate server".

-- C.B. (Ldynrd@home.com), December 22, 1999.


The virus was in an htm file saved in my temporary internet folder. When scanning, make sure you have the latest definitions for your antivirus software. The Trend Micro housecall.antivirus.com on-line scanner was what picked it up on mine.

I have considered that one of the graphic animations we see around here could possibly have been used. Believe I have heard that has happened in the past.

-- C (c@c.com), December 22, 1999.


http://www.antivirus.com/

Trend PC-cillin

an excellent small footprint antivirus program with online updates

-- snooze button (alarmclock_2000@yahoo.com), December 22, 1999.


I didn't find "bubbleboy",--c, but I've been suspecting something weird going on around here about the last 10 days or so.See previous posts about "slow", alarms, sounds & graphics, etc. I would have to add my 2 cents to John's (that makes 5 in new math) and have to agree with his last sentence 100%.

on de rock

-- Walter (On de rock@northrock.bm), December 22, 1999.


I just went into the MS Explorer Advanced Options Tab and turned off play animations, sounds and videos. I can live with that for a month. :-))

-- John (jh@NotReal.ca), December 22, 1999.

Good idea John...

Sent an e-mail to Trend Micro as to why some people are getting the "unable to locate server" message, when I get an answer I'll post their reply.

-- C (c@c.com), December 22, 1999.



Found three copies of q-and-a.htm right where you said they'd be.

Deleted em.

-- Gordon (g_gecko_69@hotmail.com), December 22, 1999.


No q-and-a.htm on my IE5.01/95B machine, and no sign of BB using Mcafee. Yes, some of the cached files from here do START qith q-and- a, but continue with -fetch or -new. This may be a page from some FAQ link that you visited. They often have names like this.

Too bad that you didn't save it. Would have been interesting to see the HTML, and what set off Trend. <:)=

-- Sysman (y2kboard@yahoo.com), December 22, 1999.


Sysman

Your right, I'm kicking myself in the butt right now for not e- mailing the file to one of the anti-virus companies. If anyone else besides Gordon finds a copy of q-and-a.htm, e-mail it to Trend, Mcafee, or one of the others before you delete it.

As to picking it up somewhere else, we looked at my history file, but all the other sites I visit (this is my work machine) are like HP, Microsoft, Compaq, federal government procurement sites, etc., this is the only site I visit from work where I would even remotely suspect questionable content... while it's possible someone may have hacked one of those sites and planted code to distribute BB, I think it's unlikely.

Curiouser and curiouser...

-- C (c@c.com), December 22, 1999.


.....I empty my temps every day.

-- Patrick (pmchenry@gradall.com), December 22, 1999.

"unable to locate server" sounds like a DNS server problem.

Been having that off and on since last Sat., but from my Mac, so it's not your suspected virus.

Example: Need to DOS ping "greenspun.com" or whatever site you can't seem to reach, to get the octet code, then use that right after htt:// (no www.) to get to a site. Usually works.

Diane

-- Diane J. Squire (sacredspaces@yahoo.com), December 22, 1999.



I found VBS_Bubbleboy on my PC earlier today too. Running Trend Micro's online checker found it. The virus was not affective if NT is your OS, like mine (at work). I deleted all my temporary internet files to get rid of it. IE 5.0 Tools, Internet Options, Delete Files

-- Cable_man (tlangan@iname.com), December 22, 1999.

Well, this is curiouser and curiouser. Will one of you folks please e- mail me this thing, before you delete it, especially if it's a .htm file. HTML can't do much, except for ActiveX and Java, and even there, only "limited damage." Most of the holes have already been patched. I'ld really like to see what makes it tick, if it's real.

Since it seems like Trend is the only one finding it, it could be a false detection. A virus signature is usually only a few bytes of "code," that the techs hope is unique to that specific virus. A random chance does exist where that few bytes may exist somewhere else, like a graphic, or in another legit program. I've seen it happen, just never with .htm ...

Tick... Tock... <:00= ...

-- Sysman (y2kboard@yahoo.com), December 22, 1999.


I agree, I don't see how .htm files can do anything. If you aren't connected the .htm file can't even hit the java file in order for your browser to compile it... I have read of javascript exploiting holes in browser software, but I don't think BB's written in javascript.

-- Mori-Nu (silkenet@yahoo.com), December 23, 1999.

I had a thought -- VBScript can be written into .html source just like javascript. Maybe the next person who happens upon this file could paste the source here (unless it's incredibly long).

-- Mori-Nu (silkenet@yahoo.com), December 23, 1999.

As far as mcaffee's concerned, I'm clean. I searched for both the aforementioned .html files too. Nothing. If this is really a legitimate problem the persons finding these files must have visited the same thread or different threads with the same source.

-- Mori-Nu (silkenet@yahoo.com), December 23, 1999.

Is this only showing up for people w/ IE? I use Netscape, and found nothing. Perhaps it is coming through a hole in IE, since IE is directly connected to Outlook Express, which is BubbleBoy's preferred "port of entry".

Jes' Thinkin'...

-- Little Pig (littlepig@brickhouse.com), December 23, 1999.


That's very possible Little Pig, even tho I'm just using IE to view the posts here, I do leave Outlook open, but minimized, as I'm browsing.

They have located another virus called HTML-ON-THE-FLY, by the same author as VBS_Bubbleboy, it's a java-script attack that can be delivered via a webpage, but still seems to be taking advantage of a hole in IE/Outlook... you still have to open the file once its on your machine before it can do any damage...

Anyone else finds this, please forward to one of the antivirus companies for analysis... doesn't look as tho it can do any harm unless you open it and have no security settings whatever set in IE.

-- C (c@c.com), December 23, 1999.


http://www.antivirus.com/trendsetter/virus_report/

4. HTML_THE_FLY - new creation from the author of VBS_BUBBLEBOY ---------------------------------------------------------------------- --- HTML_THE_FLY is a new Javascript worm that tries to spread itself through mIRC, Pirch98 and Outlook 98/2000. While there is some similarity to VBS_BUBBLEBOY, this new worm can not activate unless a user clicks on the file attachment (Filename: THE_FLY.CHM). Email mailed out by HTML_THE_FLY have the subject "Funny thing" and the body text "If you ride a motorcycle, close your mouth.:)"

For additional details about HTML_THE_FLY, please refer to our website at: http://www.antivirus.com/vinfo/security/sa121899.htm

HTML_THE_FLY is detected with Trend pattern file 625 or higher.

-- C (c@c.com), December 23, 1999.


From: Y2K, ` la Carte by Dancr (pic), near Monterey, California

I used "Find" to look for the .htm file and got nothing. I use Netscape, though.I have outlook but don't use it for e-mail, only for the calendar function. Perhaps those who found the files could paste a list of which theads they visited from among those that are still visible on the "Recent Answers" page. If the culprit thread was started within the past week we may be able to narrow down the possibilities.

-- Dancr (addy.available@my.webpage), December 23, 1999.


FWIW, these tips from Network Associates on averting Y2K viruses may be of interest to some....

Y2K Antivirus Tips

-- John (jh@NotReal.ca), December 23, 1999.


Moderation questions? read the FAQ