NEWS FROM THE LAB - Monday, August 9, 2004

Bagle.AL Posted by Mikko @ 19:47 GMT

This new Bagle is really going around...although it's hard to say at this stage whether it has just been spammed a *lot* or if it's really spreading fast.

In any case, we now detect it as Bagle.AL.

We also took it to Radar Level 2 Alert.

The trick in this Bagle is that when user opens the attached ZIP archive, this is what he sees:


...and many users would then wrongly assume that the HTML file is just a web page and safe to click at...after all, there are no dangerous EXE files in sight. Well, that's because it's in the PRICE folder, and the PRICE.HTML will just load and run it.

Repeat after me: HTML files on your local hard drive are not safe to click at. The same file might be perfectly safe when you access it over the web (ie. surf to http://something/somefile.html) and horribly bad when you click on it locally (assuming a typical Windows user with default settings).