[Dshield] CPL in Bagle-Like Message

James C. Slora, Jr. james.slora at phra.com
Mon Apr 26 18:24:23 GMT 2004


We blocked an obvious virus that looks like a new variant of Bagle. It
does not match the Bagle.X details listed by Trend Micro, though.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAG
LE.X&VSect=T

Our message looked like this:

Subject - Re: Incoming Message
Body - Message is in attach
Attachment - message.cpl

We dropped the attachment so I cannot analyze it.

It may have just been an original Bugbear infection that grabbed a
Bagle-generated message as its seed source, too. I haven't seen Bagle
use a CPL extension before, and I haven't seen Bugbear use "message.*"
as its attachment.

It's a good reminder to keep blocking .CPL files.




More information about the list mailing list