This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.
Email-Worm:W32/Bagle.FY is a minor variant of Email-Worm:W32/Bagle.FM. The most significant difference with the FY variant is that the e-mail messages used to distribute the worm are purportedly offering free tickets to the Olympic games in Torino.
This Bagle variant appeared on February 13th 2005.
The worm sends itself inside a ZIP archive file attached to e-mail messages that have the following subjects:
The message body text can be one of the following:
Bagle.FY uses its own built-in SMTP engine to send copies of itself to e-mail addresses harvested from an infected machine. It searches and gathers e-mail addresses from files with the following extensions found on the system:
This e-mail worm avoids mailing copies of itself to addresses that have the following substrings:
The worm creates the e-mail messages used to deliver its worm code using the following "building blocks". The e-mail attachment containing the worm code is named from one of the following strings (using a .zip a extension):
The list above is also used to generate the subject of the e-mail.
The e-mail body usually contains one of the following strings:
Followed by one of these:
Where [password] is a password image stored remotely in the following links: