Results 1 to 9 of 9

Thread: (?)'s about Bubbel

  1. #1
    Junior Member
    Join Date
    Jan 2002
    Posts
    9

    (?)'s about Bubbel

    I have this trojan in my computer called Bubbel!
    I'm guessing someone sent it through ICQ to me before i was familuar with formats. Well anyway i just found it using
    http://scan.sygatetech.com/pretrojanscan.html which was recommented by Victorkaum (thanks).
    Is this easy to remove?
    If it is, could you give a simple instruction?
    How concerned should i be?
    I guess thats it.
    Any other comments about this are welcome.
    Thank you.

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    227

    Thumbs up Re: (?)'s about Bubbel

    Hi,
    you should take a look on this site

    http://www.dark-e.com/archive/trojan...el/index.shtml

    there you will find some basic info about that trojan and also how to remove it. So good luck.

  3. #3
    Junior Member
    Join Date
    Jan 2002
    Posts
    9
    Thanks but it seems i have another problem!
    It tells me to Remove the windows key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservices
    but the windows key isnt there, but there is one there that looked very suspicious. Its says it is a scheduling Agent
    and under the data it just says "mstask.exe" Where as all the others data is longer and more descriptive .
    Does anyone know if this is supposed to be there?

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    227
    Originally posted by 7raviz^~
    Thanks but it seems i have another problem!
    It tells me to Remove the windows key in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservices
    but the windows key isnt there
    then it looks like you aren't infected by bubbel
    but I must say that I did't see this trojan so all my information are from some inet sites (use google.com to find more about it if you want)


    but there is one there that looked very suspicious. Its says it is a scheduling Agent and under the data it just says "mstask.exe" Where as all the others data is longer and more descriptive .
    Does anyone know if this is supposed to be there?
    And are you using scheduling or not?

  5. #5
    Junior Member
    Join Date
    Jan 2002
    Posts
    9
    See...I scanned my pc for trojans at
    http://scan.sygatetech.com/pretrojanscan.html
    and it said i had it, bbut then i looked in the registry and the windows key wasnt there....so i was thinking maybe it had disguised
    itself or it had been renamed to mstask.exe
    but i figured out that that has nothing to do with it.
    No i dont used scheduling, well i dont think i do.
    Thanks for your help.

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    227
    Yes I see. But I don't think that this trojan is able to do such things as you described. And is bubbel.exe in your windows system directory? Mayby you could also try some other scan.

    But again I have only read about it and never seen it. So maybe I can't help you

  7. #7
    Junior Member
    Join Date
    Jan 2002
    Posts
    9
    yeah i will try more scans......no it isnt in the directory
    maybe it was just the scan and from what i hear this trojan isnt really anything to worry about. Anyway, Zonealarm keeps it from being accessed so i should be ok
    thanks....and yes you helped....thanks alot sun7dots

  8. #8
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    Hey 7raviz^~ ,

    the scan at sygatetech only checks for open ports... so it could be that behind that open port a trojan is listening or it could be something else. Most of the time SK's use the default ports from the trojan but it could be that the SK did not...so it could be another trojan modified to be recognized as Bubbel. However that's not very common...

    I recommend that you try to close all ports you don't need and that you do some virusscan.

    registry etims to search for:

    HK_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    HK_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

    HK_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

    HK_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    HK_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    HK_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    HK_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

    HK_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

  9. #9
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    I have forgotten something:

    Bubbel is written in visual basic and shipped with a standard installer, it has the following files
    Files:
    bubbel.exe
    bubbel.bl_
    bubbel.sck
    bubbel.the
    bubbel.bbl
    readme.txt

    After infection, the files are renamed and placed in windows\sys\
    bubbel.bbl to msvbvm50.dll
    bubbel.bl_ to msinet.ocx
    bubbel.the to bubbel.exe
    bubbel.sck to mswinsck.ocx


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •