A couple of months back we started blocking all email containing .zip file attachments, as a lot of security exploits were showing up in zip attachments. The block has caused a continuing number of complaints from people on campus, as zip files are common ways of bundling information and attaching it to email.
But just in case anyone thought there wasn’t still a reason to keep the block in place (from Eweek):
Another variant of the ubiquitous Bagle worm is now making its way across the Internet, flooding in-boxes with infected Zip files. The newest member of the Bagle family, named Bagle.AQ, arrives via an e-mail message with a spoofed sending address and no subject line. The only text in the message body is typically one or two words, either “price” or “new price.”
The name of the infected Zip file that accompanies the message is some variation on that theme as well. The files often are named Price.zip or New_price.zip, and may have a number appended to the end of the file name.
Bagle.AQ first appeared Monday and began circulating in earnest in the early afternoon Eastern time. Some users reported getting as many as 100 infected messages in an hour. Virus researchers said they first began seeing Bagle.AQ at about 8 a.m. Monday and have been seeing thousands of copies an hour.
If a user opens the Zip file with an application such as Windows Internet Explorer that is not a standalone Zip file handler, the user will see an HTML file that contains exploit code. The file will then execute an included .exe file, which is a Trojan, according to McAfee Inc.’s analysis. The Trojan then connects to a number of remote sites to download the actual viral code.
