Alex Feldstein blogs New Bagle worm is making rounds?. SANS Internet Storm Center reports that a new Bagle worm variant is making rounds. Make sure that your antivirus is up-to-date and enabled.
Preliminary information is:
- The file arrives as a zipped attachment with a filename including
the word “price” (price.zip, price2.zip newprice.zip, 09_price.zip,
- Creates two files: C:\WINDOWS\system32\winshost.exe and C:\WINDOWS\system32\wiwshost.exe
- Launches winshost.exe from the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key
- This has been classified (by at least one AV vendor) as: TROJ/BAGLEDL-U
My Inbox (running on a Mac) is already filling up with these. One more time, let’s remember the rules: NEVER open an attachment from an untrusted source. There are no trusted sources. NEVER EVER open an unexpected attachment without verifying with the sender that they did intend to send you that attachment. If you have some confidence you know what you’re doing, save it to disk, scan it and test it. If you aren’t confident of your abilities to detect a problem, contact your IT support person. Don’t have any of those? Don’t open the attachment.