This new worm program affects Computers with Internet Explorer 5 and Windows Scripting Host installed (Windows Scripting Host is installed by default on Windows 98 and Windows 2000).
This worm is unique in that it does not come as an attachment to an email message but as part of the email message itself.  The worm can be activated if:
The email is viewed through the "Preview Pane" of Outlook Express 5.
   Or
The email is opened in Microsoft Outlook.

Once activated, the worm will try to email itself to every email address
in the user's Outlook address book.

Details
The worm can arrive in an email from anyone.  The subject line of the email will read "BubbleBoy is back!"  Inside the message is a URL ending in "bblboy.htm."  The text of the message reads "The BubbleBoy Incident, pictures and sounds."

If the security hole has not been patched, VBS.BubbleBoy will insert the
UPDATE.HTA file as soon as the email is opened. This script file is inserted into the Program-Start-up folder of the Start Menu (usually
 C:\WINDOWS\Start Menu\Programs\StartUp).

The next time Windows starts, UPDATE.HTA executes its worm routine:
1.Changes the registered owner (via the registry) to "BubbleBoy"
2.Changes the registered organization to "Vandelay Industries"
3.Sends an email message to everyone in the MS Outlook address book.
The email message contains the following text Subject:
BubbleBoy is back!
The BubbleBoy incident, pictures and sounds
http://www.towns.com/dorms/tom/bblboy.htm
4.Adds this registry entry:
HKLM\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.0 by Zulu to mark the execution of its worm routine. If this registry entry exists, it does not execute the worm routine.

The B variant (also detected as VBS.BubbleBoy) is encrypted. The registry entry to mark the worm routine execution is:
HKLM\Software\OUTLOOK.BubbleBoy\ = OUTLOOK.Bubbleboy 1.0 by Zulu

Prevention
There are two universal methods currently available for avoiding infection by this worm.  One method is to download the security patch Microsoft has created to correct the security flaw that allows the worm to operate.  To download this patch, visit Microsoft's Security Bulliten (MS99-032).  It is recommended that you download this patch to insure that your computer is protected.

Another method to prevent the worm from sending out email is to change the security setting in Internet Explorer 5.0 (or later) to "high."  To do this:
1.  Start Internet Explorer.
2.  From the menu bar, click on Tools and then Internet Options.
3.  Click on Security.
4.  Change the setting to High.

For those users with the latest McAfee antivirus software loaded
on their computers:  You can make a change to the VShield component
of your McAfee software (the component that always scans incoming files
for viruses) to detect this new worm with these steps:

1.  Right-click on the blue shield with a red "V" in the taskbar near your
system clock (usually in the lower right corner of your screen).  A pop-up
menu will appear.  Choose Properties.
2.  There will be a section on What to Scan.  In that section, click on the
File Types button.
3.  A new window called Program File Extensions will appear.  Click on
the Add button.
4.  In the box labeled Extension to Add, type "HT?" (without the
quotation marks).  Click OK.
5.  Click OK in the previous McAfee windows to complete the process.

Removal

If your computer is already infected, the worm can be removed by following these steps:

1.  Right-click on the Start button and choose Explore.
2.  Windows Explorer will appear.  In the right-hand window, double-click on the Programs icon.
3.  A new list of icons will be displayed in the right-hand window.
Double-click on the StartUp icon.
4.  Again, a new list of icons/files will be displayed in the right-hand window.  Click once on the file Update.HTA and hit the Delete key on your keyboard.  This will delete the file that executes the commands allowing the virus to spread itself via email from your machine.