Users fail the Bagle worm test

The number one admonishment from security folks is to never, ever open executable type attachments received unexpectedly. Zealots will even go so far as to say to never, ever open any attachment received unexpectedly. Yet despite years of warnings, naive users are failing to heed this advice and flocking to the Bagle worm in droves. So much so that less than 12 hours after its initial discovery, the Bagle worm had already registered as a top ten threat on the MessageLabs ThreatList.

Certainly some worms employ clever social engineering to trick users into opening the attachment, perhaps disguising themselves as a Microsoft security patch (note to the wise, Microsoft doesn't send patches via email), or embedding themselves within an HTML file contained in a ZIP file (causing it to be run in the generally less restrictive local computer zone). But the Bagle worm contains none of these tricks. Indeed, the Bagle worm seems to make no attempt to trick users whatsoever, relying instead on a tersely worded message that all but screams DON'T OPEN ME.

Instead of clever tricks, Bagle arrives via email as follows:

Subject: Hi

Body:  Test =)
        <nonsensical characters>
        --
        Test, yep.

The email carries a randomly named executable attachment, with an icon of a calculator. It is this attachment that seems to be a magnet for novice users. Remember, never, ever open executable type attachments received unexpectedly. If you don't know how to distinguish an executable from a non-executable, then your best bet is to never, ever open any attachment received unexpectedly.

Also see: Bagle worm description