Threat Descriptions

Email-Worm:W32/Bagle.FY

Classification

Category :

Malware

Type :

Email-Worm

Platform :

W32

Aliases :

W32/Bagle.FY, Email-Worm.Win32.Bagle.fy , Trojan-Downloader.Win32.Bagle.fy

Summary

This type of worm is embedded in an email attachment, and spreads using the infected computer's emailing networks.

Removal

For removal instructions specific to Bagle infections, see Email-Worm:W32/Bagle.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Email-Worm:W32/Bagle.FY is a minor variant of Email-Worm:W32/Bagle.FM. The most significant difference with the FY variant is that the email messages used to distribute the worm are purportedly offering free tickets to the Olympic games in Torino.

This Bagle variant appeared on February 13th 2005.

Propagation

The worm sends itself inside a ZIP archive file attached to email messages that have the following subjects:

  • FREE OLYMPIC TICKETS LOTTERY!
  • 2006 Winter Games in Torino
  • 2006 Torino Winter Games FREE Tickets

The message body text can be one of the following:

  • Attention: you received free ticket invitation with attachment! Coast to Coast Tickets provides the most comprehensive inventory of Opening Ceremony tickets available on the secondary market. If the Opening Ceremony tickets you are looking for are not available, please check back as our inventory is constantly updated. Orders for Opening Ceremony tickets that are no longer available will be cancelled or substituted at the customer's discretion. All Opening Ceremony tickets are shipped via Federal Express. If you would like to attend a Opening Ceremony event to see athletes live, or to see a team schedule and information, Coast to Coast Tickets is your source. All it takes is a phone call or a few clicks of the mouse to buy Opening Ceremony tickets. We offer a wide selection of Winter Games tickets for all teams, and we are happy to provide information about schedules at any time.
  • Our company (TicketWorld) is the world's largest supplier of tickets to all major international events including the 2006 Winter Games and 2006 Torino Tickets. We sell tickets to every sporting event in Torino including the preliminary competitions as well as Olympic Finals tickets. You can order Winter Game tickets for all categories for every match. All Winter Games tickets are guaranteed 200%. All ticket prices are in US Currency ($). OPEN ATTACHMENT ARCHIVE TO GET INFORMATION HOW TO OBTAIN A FREE TICKET. Please call our United States office at +1.512.472.5797 or from the United Kingdom 0800.781.0819 if you have questions.
  • The Torino Winter games will be the most celebrated Olympics of our era. If you are looking to witness this historic event for yourself, look no further. SuperTicketing Premium Seating is your source for Olympics tickets. We have access to tickets for nearly every Olympic event from Opening to Closing Ceremonies, Curling to Figure Skating. FREE TICKETS AVAILABLE NOW ON LOTTERY BASIS. CHECK ATTACHED FILE. DISCLAIMER TickCo Premium Seating buys and resells tickets on the secondary market at above face value. Our prices can be substantially higher than the original ticket price, as they reflect the cost of obtaining premium seating. Any trademarked terms that appear on this page are used for descriptive purposes only.

Bagle.FY uses its own built-in SMTP engine to send copies of itself to email addresses harvested from an infected machine. It searches and gathers email addresses from files with the following extensions found on the system:

  • .adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .eml
  • .htm
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .ods
  • .oft
  • .php
  • .pl
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .wab
  • .wsh
  • .xls
  • .xml

This email worm avoids mailing copies of itself to addresses that have the following substrings:

  • @avp.
  • @iana
  • @messagelab
  • abuse
  • admin
  • anyone@
  • bugs@
  • cafee
  • certific
  • contract@
  • feste
  • free-av
  • f-secur
  • gold-certs@
  • google
  • help@
  • icrosoft
  • info@
  • linux
  • listserv
  • local
  • nobody@
  • noone@
  • noreply
  • ntivi
  • panda
  • postmaster@

The worm creates the email messages used to deliver its worm code using the following "building blocks". The email attachment containing the worm code is named from one of the following strings (using a .zip a extension):

  • Alice
  • Alice
  • Alyce
  • Andrew
  • Androw
  • Androwe
  • Annes
  • Anthonie
  • Anthony
  • Anthonye
  • Avice
  • Bennet
  • Bennet
  • Bennett
  • Christean
  • Christian
  • Christian
  • Constance
  • Cybil
  • Daniel
  • Daniel
  • Danyell
  • Dorithie
  • Dorothee
  • Dorothy
  • Edmond
  • Edmonde
  • Edmund
  • Edmund
  • Edward
  • Edward
  • Edwarde
  • Elizabeth
  • Elizabeth
  • Elizabethe
  • Ellen
  • Ellen
  • Ellyn
  • Emanual
  • Emanuel
  • Emanuell
  • Ester
  • Frances
  • Francis
  • Francis
  • Fraunces
  • Gabriell
  • Geoffraie
  • George
  • Grace
  • Harry
  • Harry
  • Harrye
  • Henrie
  • Henry
  • Henry
  • Henrye
  • Hughe
  • Humphrey
  • Humphrey
  • Humphrie
  • Isabel
  • Isabell
  • Isabell
  • James
  • James
  • Jeames
  • Jeffrey
  • Jeffrye
  • Joane
  • Johen
  • Josias
  • Judeth
  • Judith
  • Judith
  • Judithe
  • Katherine
  • Katherine
  • Katheryne
  • Leonard
  • Leonard
  • Leonarde
  • Margaret
  • Margaret
  • Margarett
  • Margerie
  • Margerye
  • Margret
  • Margrett
  • Marie
  • Martha
  • Marye
  • Michael
  • Michael
  • Mychaell
  • Nathaniel
  • Nathaniel
  • Nathaniell
  • Nathanyell
  • Nicholas
  • Nicholas
  • Nicholaus
  • Nycholas
  • Peter
  • Ralph
  • Rebecka
  • Richard
  • Richard
  • Richarde
  • Robert
  • Robert
  • Roberte
  • Roger
  • Rycharde
  • Samuell
  • Sidney
  • Sindony
  • Stephen
  • Susan
  • Susanna
  • Susanna
  • Suzanna
  • Sybell
  • Sybyll
  • Syndony
  • Thomas
  • Valentyne
  • William
  • Winifred
  • Wynefrede
  • Wynefreed
  • Wynnefreede

The list above is also used to generate the subject of the email.

The email body usually contains one of the following strings:

  • I love you
  • To the beloved

Followed by one of these:

  • archive password: [password]
  • Password - [password]
  • Password -- [password]
  • Password is [password]
  • Password: [password]
  • The password is [password]
  • Use password [password] to open archive.
  • Zip password: [password]

Where [password] is a password image stored remotely in the following links:

  • https://1point2.iae.nl/777.gif
  • https://5050clothing.com/777.gif
  • https://appaloosa.no/777.gif
  • https://apromed.com/777.gif
  • https://arborfolia.com/777.gif
  • https://areal-realt.ru/777.gif
  • https://art4u1.superhost.pl/777.gif
  • https://art-bizar.foxnet.pl/777.gif
  • https://asdesign.cz/777.gif
  • https://avenue.ee/777.gif
  • https://axelero.hu/777.gif
  • https://bartex-cit.com.pl/777.gif
  • https://bazarbekr.sk/777.gif
  • https://bid-usa.com/777.gif
  • https://biliskov.com/777.gif
  • https://biomedpel.cz/777.gif
  • https://bitel.ru/777.gif
  • https://blackbull.cz/777.gif
  • https://bohuminsko.cz/777.gif
  • https://bonsai-world.com.au/777.gif
  • https://bpsbillboards.com/777.gif
  • https://cadinformatics.com/777.gif
  • https://calamarco.com/777.gif
  • https://canecaecia.com/777.gif
  • https://ceramax.co.kr/777.gif
  • https://charlesspaans.com/777.gif
  • https://chatsk.wz.cz/777.gif
  • https://checkalertusa.com/777.gif
  • https://cibernegocios.com.ar/777.gif
  • https://cof666.shockonline.net/777.gif
  • https://comaxtechnologies.net/777.gif
  • https://compucel.com/777.gif
  • https://concellodesandias.com/777.gif
  • https://continentalcarbonindia.com/777.gif
  • https://dev.jintek.com/777.gif
  • https://dogoodesign.ch/777.gif
  • https://donchef.com/777.gif
  • https://erich-kaestner-schule-donaueschingen.de/777.gif
  • https://foxvcoin.com/777.gif
  • https://ftp-dom.earthlink.net/777.gif
  • https://gnu.univ.gda.pl/777.gif
  • https://grupdogus.de/777.gif
  • https://hotchillishop.de/777.gif
  • https://ilikesimple.com/777.gif
  • https://innovation.ojom.net/777.gif
  • https://kisalfold.com/777.gif
  • https://knickimbit.de/777.gif
  • https://kremz.ru/777.gif
  • https://massgroup.de/777.gif
  • https://ouarzazateservices.com/777.gif
  • https://pawlacz.com/777.gif
  • https://poliklinika-vajnorska.sk/777.gif
  • https://prime.gushi.org/777.gif
  • https://stats-adf.altadis.com/777.gif
  • https://svatba.viskot.cz/777.gif
  • https://systemforex.de/777.gif
  • https://ujscie.one.pl/777.gif
  • https://uwua132.org/777.gif
  • https://vanvakfi.com/777.gif
  • https://vega-sps.com/777.gif
  • https://vidus.ru/777.gif
  • https://viralstrategies.com/777.gif
  • https://Vivamodelhobby.com/777.gif
  • https://vkinfotech.com/777.gif
  • https://vproinc.com/777.gif
  • https://v-v-kopretiny.ic.cz/777.gif
  • https://vytukas.com/777.gif
  • https://waisenhaus-kenya.ch/777.gif
  • https://watsrisuphan.org/777.gif
  • https://wbecanada.com/777.gif
  • https://web-comp.hu/777.gif
  • https://webfull.com/777.gif
  • https://welvo.com/777.gif
  • https://wvpilots.org/777.gif
  • https://www.ag.ohio-state.edu/777.gif
  • https://www.ag.ohio-state.edu/777.gif
  • https://www.artbed.pl/777.gif
  • https://www.aureaorodeley.com/777.gif
  • https://www.autoekb.ru/777.gif
  • https://www.autovorota.ru/777.gif
  • https://www.avinpharma.ru/777.gif
  • https://www.castnetnultimedia.com/777.gif
  • https://www.chapisteriadaniel.com/777.gif
  • https://www.chittychat.com/777.gif
  • https://www.cort.ru/777.gif
  • https://www.crfj.com/777.gif
  • https://www.jonogueira.com/777.gif
  • https://www.kersten.de/777.gif
  • https://www.kljbwadersloh.de/777.gif
  • https://www.voov.de/777.gif
  • https://www.walsch.de/777.gif
  • https://www.wchat.cz/777.gif
  • https://www.wg-aufbau-bautzen.de/777.gif
  • https://www.wzhuate.com/777.gif
  • https://xotravel.ru/777.gif
  • https://yeniguntugla.com/777.gif
  • https://yetii.no-ip.com/777.gif
  • https://zebrachina.net/777.gif
  • https://zsnabreznaknm.sk/777.gif