[Dshield] CPL in Bagle-Like Message
James C. Slora, Jr.
james.slora at phra.com
Mon Apr 26 18:24:23 GMT 2004
We blocked an obvious virus that looks like a new variant of Bagle. It
does not match the Bagle.X details listed by Trend Micro, though.
Our message looked like this:
Subject - Re: Incoming Message
Body - Message is in attach
Attachment - message.cpl
We dropped the attachment so I cannot analyze it.
It may have just been an original Bugbear infection that grabbed a
Bagle-generated message as its seed source, too. I haven't seen Bagle
use a CPL extension before, and I haven't seen Bugbear use "message.*"
as its attachment.
It's a good reminder to keep blocking .CPL files.
More information about the list