W32/Bagle.FY, Email-Worm.Win32.Bagle.fy , Trojan-Downloader.Win32.Bagle.fy
This type of worm is embedded in an email attachment, and spreads using the infected computer's emailing networks.
For removal instructions specific to Bagle infections, see Email-Worm:W32/Bagle.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
For more Support
Find the latest advice in our Community Knowledge Base.
See the user guide for your product on the Help Center.
Chat with or call an expert for help.
Submit a file or URL for further analysis.
Email-Worm:W32/Bagle.FY is a minor variant of Email-Worm:W32/Bagle.FM. The most significant difference with the FY variant is that the email messages used to distribute the worm are purportedly offering free tickets to the Olympic games in Torino.
This Bagle variant appeared on February 13th 2005.
The worm sends itself inside a ZIP archive file attached to email messages that have the following subjects:
The message body text can be one of the following:
Bagle.FY uses its own built-in SMTP engine to send copies of itself to email addresses harvested from an infected machine. It searches and gathers email addresses from files with the following extensions found on the system:
This email worm avoids mailing copies of itself to addresses that have the following substrings:
The worm creates the email messages used to deliver its worm code using the following "building blocks". The email attachment containing the worm code is named from one of the following strings (using a .zip a extension):
The list above is also used to generate the subject of the email.
The email body usually contains one of the following strings:
Followed by one of these:
Where [password] is a password image stored remotely in the following links: