BubbleBoy is among the most documented and threatening viruses never to exist. To squelch all fears, speculation, and misinformation from the word go: 1) BubbleBoy is a Visual Basic "worm" which exploits an already documented security flaw in Microsoft Outlook on Windows 98 and Windows 2000 PCs, it is not a virus. 2) It has never been released or known to be "in the wild," BubbleBoy was written and mailed directly to anti-virus vendors as an example only.

BubbleBoy exploits a known security flaw in Microsoft Outlook (and Express) running on Windows 32-bit machines which have IE 5 installed and the Visual Basic Scripting Host enabled (the default). Execution of the hazardous code in the email, which reads "The BubbleBoy incident, pictures, and sounds" followed by a hyperlink, requires that Outlook be configured to display HTML-native email (also the default). Viewing this message -- running the Visual Basic ActiveX control hidden in the email's underlying HTML -- installs a new VBS "program" to the PCs "Startup" menu, which will launch the malicious code following a reboot. The hack, which runs only once, mass mails copies of itself to all contacts listed in the local Outlook Express Address Book.

To prevent damaging effects from this and other absurd clones that are likely to appear in the immediate future, please visit:

     http://www.microsoft.com/security/Bulletins/ms99-032.asp