Home / malware Email-Worm:W32/Bagle.FY
First posted on 12 July 2010.
Source: SecurityHomeAliases :
There are no other names known for Email-Worm:W32/Bagle.FY.
Explanation :
This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.
Additional DetailsEmail-Worm:W32/Bagle.FY is a minor variant of Email-Worm:W32/Bagle.FM. The most significant difference with the FY variant is that the e-mail messages used to distribute the worm are purportedly offering free tickets to the Olympic games in Torino.
This Bagle variant appeared on February 13th 2005.
Propagation
The worm sends itself inside a ZIP archive file attached to e-mail messages that have the following subjects:
€ FREE OLYMPIC TICKETS LOTTERY! € 2006 Winter Games in Torino € 2006 Torino Winter Games FREE Tickets
The message body text can be one of the following:
€ Attention: you received free ticket invitation with attachment!
Coast to Coast Tickets provides the most comprehensive inventory of Opening
Ceremony tickets available on the secondary market. If the Opening Ceremony
tickets you are looking for are not available, please check back as our inventory
is constantly updated. Orders for Opening Ceremony tickets that are no
longer available will be cancelled or substituted at the customer's discretion.
All Opening Ceremony tickets are shipped via Federal Express.
If you would like to attend a Opening Ceremony event to see athletes live, or to
see a team schedule and information, Coast to Coast Tickets is your source. All
it takes is a phone call or a few clicks of the mouse to buy Opening Ceremony
tickets. We offer a wide selection of Winter Games tickets for all teams, and we
are happy to provide information about schedules at any time.
€ Our company (TicketWorld) is the world's largest supplier of tickets to all major
international events including the 2006 Winter Games and 2006 Torino Tickets. We
sell tickets to every sporting event in Torino including the preliminary
competitions as well as Olympic Finals tickets. You can order Winter Game
tickets for all categories for every match. All Winter Games tickets are
guaranteed 200%.
All ticket prices are in US Currency ($).
OPEN ATTACHMENT ARCHIVE TO GET INFORMATION HOW TO OBTAIN A FREE TICKET.
Please call our United States office at +1.512.472.5797 or from the United
Kingdom 0800.781.0819 if you have questions.
€ The Torino Winter games will be the most celebrated Olympics of our era. If you are looking to witness this historic event for yourself, look no further.
SuperTicketing Premium Seating is your source for Olympics tickets. We have
access to tickets for nearly every Olympic event from Opening to Closing
Ceremonies, Curling to Figure Skating.
FREE TICKETS AVAILABLE NOW ON LOTTERY BASIS. CHECK ATTACHED FILE.
DISCLAIMER
TickCo Premium Seating buys and resells tickets on the secondary market at above
face value. Our prices can be substantially higher than the original ticket price, as they reflect the cost of obtaining premium seating. Any trademarked terms that appear on this page are used for descriptive purposes only.
Bagle.FY uses its own built-in SMTP engine to send copies of itself to e-mail addresses harvested from an infected machine. It searches and gathers e-mail addresses from files with the following extensions found on the system:
€ .adb € .asp € .cfg € .cgi € .dbx € .dhtm € .eml € .htm € .jsp € .mbx € .mdx € .mht € .mmf € .msg € .nch € .ods € .oft € .php € .pl € .sht € .shtm € .stm € .tbb € .txt € .uin € .wab € .wsh € .xls € .xml
This e-mail worm avoids mailing copies of itself to addresses that have the following substrings:
€ @avp. € @iana € @messagelab € abuse € admin € anyone@ € bugs@ € cafee € certific € contract@ € feste € free-av € f-secur € gold-certs@ € google € help@ € icrosoft € info@ € linux € listserv € local € nobody@ € noone@ € noreply € ntivi € panda € postmaster@
The worm creates the e-mail messages used to deliver its worm code using the following "building blocks". The e-mail attachment containing the worm code is named from one of the following strings (using a .zip a extension):
€ Alice € Alice € Alyce € Andrew € Androw € Androwe € Annes € Anthonie € Anthony € Anthonye € Avice € Bennet € Bennet € Bennett € Christean € Christian € Christian € Constance € Cybil € Daniel € Daniel € Danyell € Dorithie € Dorothee € Dorothy € Edmond € Edmonde € Edmund € Edmund € Edward € Edward € Edwarde € Elizabeth € Elizabeth € Elizabethe € Ellen € Ellen € Ellyn € Emanual € Emanuel € Emanuell € Ester € Frances € Francis € Francis € Fraunces € Gabriell € Geoffraie € George € Grace € Harry € Harry € Harrye € Henrie € Henry € Henry € Henrye € Hughe € Humphrey € Humphrey € Humphrie € Isabel € Isabell € Isabell € James € James € Jeames € Jeffrey € Jeffrye € Joane € Johen € Josias € Judeth € Judith € Judith € Judithe € Katherine € Katherine € Katheryne € Leonard € Leonard € Leonarde € Margaret € Margaret € Margarett € Margerie € Margerye € Margret € Margrett € Marie € Martha € Marye € Michael € Michael € Mychaell € Nathaniel € Nathaniel € Nathaniell € Nathanyell € Nicholas € Nicholas € Nicholaus € Nycholas € Peter € Ralph € Rebecka € Richard € Richard € Richarde € Robert € Robert € Roberte € Roger € Rycharde € Samuell € Sidney € Sindony € Stephen € Susan € Susanna € Susanna € Suzanna € Sybell € Sybyll € Syndony € Thomas € Valentyne € William € Winifred € Wynefrede € Wynefreed € Wynnefreede
The list above is also used to generate the subject of the e-mail.
The e-mail body usually contains one of the following strings:
€ I love you € To the beloved
Followed by one of these:
€ archive password: [password] € Password - [password] € Password -- [password] € Password is [password] € Password: [password] € The password is [password] € Use password [password] to open archive. € Zip password: [password]
Where [password] is a password image stored remotely in the following links:
€ http://1point2.iae.nl/777.gif € http://5050clothing.com/777.gif € http://appaloosa.no/777.gif € http://apromed.com/777.gif € http://arborfolia.com/777.gif € http://areal-realt.ru/777.gif € http://art4u1.superhost.pl/777.gif € http://art-bizar.foxnet.pl/777.gif € http://asdesign.cz/777.gif € http://avenue.ee/777.gif € http://axelero.hu/777.gif € http://bartex-cit.com.pl/777.gif € http://bazarbekr.sk/777.gif € http://bid-usa.com/777.gif € http://biliskov.com/777.gif € http://biomedpel.cz/777.gif € http://bitel.ru/777.gif € http://blackbull.cz/777.gif € http://bohuminsko.cz/777.gif € http://bonsai-world.com.au/777.gif € http://bpsbillboards.com/777.gif € http://cadinformatics.com/777.gif € http://calamarco.com/777.gif € http://canecaecia.com/777.gif € http://ceramax.co.kr/777.gif € http://charlesspaans.com/777.gif € http://chatsk.wz.cz/777.gif € http://checkalertusa.com/777.gif € http://cibernegocios.com.ar/777.gif € http://cof666.shockonline.net/777.gif € http://comaxtechnologies.net/777.gif € http://compucel.com/777.gif € http://concellodesandias.com/777.gif € http://continentalcarbonindia.com/777.gif € http://dev.jintek.com/777.gif € http://dogoodesign.ch/777.gif € http://donchef.com/777.gif € http://erich-kaestner-schule-donaueschingen.de/777.gif € http://foxvcoin.com/777.gif € http://ftp-dom.earthlink.net/777.gif € http://gnu.univ.gda.pl/777.gif € http://grupdogus.de/777.gif € http://hotchillishop.de/777.gif € http://ilikesimple.com/777.gif € http://innovation.ojom.net/777.gif € http://kisalfold.com/777.gif € http://knickimbit.de/777.gif € http://kremz.ru/777.gif € http://massgroup.de/777.gif € http://ouarzazateservices.com/777.gif € http://pawlacz.com/777.gif € http://poliklinika-vajnorska.sk/777.gif € http://prime.gushi.org/777.gif € http://stats-adf.altadis.com/777.gif € http://svatba.viskot.cz/777.gif € http://systemforex.de/777.gif € http://ujscie.one.pl/777.gif € http://uwua132.org/777.gif € http://vanvakfi.com/777.gif € http://vega-sps.com/777.gif € http://vidus.ru/777.gif € http://viralstrategies.com/777.gif € http://Vivamodelhobby.com/777.gif € http://vkinfotech.com/777.gif € http://vproinc.com/777.gif € http://v-v-kopretiny.ic.cz/777.gif € http://vytukas.com/777.gif € http://waisenhaus-kenya.ch/777.gif € http://watsrisuphan.org/777.gif € http://wbecanada.com/777.gif € http://web-comp.hu/777.gif € http://webfull.com/777.gif € http://welvo.com/777.gif € http://wvpilots.org/777.gif € http://www.ag.ohio-state.edu/777.gif € http://www.ag.ohio-state.edu/777.gif € http://www.artbed.pl/777.gif € http://www.aureaorodeley.com/777.gif € http://www.autoekb.ru/777.gif € http://www.autovorota.ru/777.gif € http://www.avinpharma.ru/777.gif € http://www.castnetnultimedia.com/777.gif € http://www.chapisteriadaniel.com/777.gif € http://www.chittychat.com/777.gif € http://www.cort.ru/777.gif € http://www.crfj.com/777.gif € http://www.jonogueira.com/777.gif € http://www.kersten.de/777.gif € http://www.kljbwadersloh.de/777.gif € http://www.voov.de/777.gif € http://www.walsch.de/777.gif € http://www.wchat.cz/777.gif € http://www.wg-aufbau-bautzen.de/777.gif € http://www.wzhuate.com/777.gif € http://xotravel.ru/777.gif € http://yeniguntugla.com/777.gif € http://yetii.no-ip.com/777.gif € http://zebrachina.net/777.gif € http://zsnabreznaknm.sk/777.gif
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2006-06-20_052006-03-23_04Last update 12 July 2010
