This type of worm is embedded in an email attachment, and spreads using the infected computer's emailing networks.
Email-Worm:W32/Bagle.FY is a minor variant of Email-Worm:W32/Bagle.FM. The most significant difference with the FY variant is that the email messages used to distribute the worm are purportedly offering free tickets to the Olympic games in Torino.
This Bagle variant appeared on February 13th 2005.
The worm sends itself inside a ZIP archive file attached to email messages that have the following subjects:
The message body text can be one of the following:
Bagle.FY uses its own built-in SMTP engine to send copies of itself to email addresses harvested from an infected machine. It searches and gathers email addresses from files with the following extensions found on the system:
This email worm avoids mailing copies of itself to addresses that have the following substrings:
The worm creates the email messages used to deliver its worm code using the following "building blocks". The email attachment containing the worm code is named from one of the following strings (using a .zip a extension):
The list above is also used to generate the subject of the email.
The email body usually contains one of the following strings:
Followed by one of these:
Where [password] is a password image stored remotely in the following links:
Date Created: -
Date Last Modified: -