After a day's analysis, security firms offered more details about Tuesday's massive spam-based attack of Bagle-like Trojan horses.

The assault was begun by, at most, two to four worms, not more than a dozen different Trojan horses as some suspected, security firm F-Secure said Wednesday.

"There are at least two new variants of the Bagle worm going around," said F-Secure in an online advisory. "One feature of these new variants is to use infected computers to seed out e-mails, with the downloader program as an attachment. So in addition of sending out e-mails with the virus, they send out e-mails with a downloader which won't spread further. Lots of them."

The "downloader" F-Secure mentioned is the Trojan horse (actually, horses, since there were at least four different versions of that.)

In other words, the new Bagles -- Symantec IDed four, and named them Bagle.bg, Bagle.bh, Bagle.bi, and Bagle.bj -- were seeded first. Once they infected a system, the worms then used their own SMTP mailing engine to spam out copies of the non-replicating Trojans. If those were successful in infecting a PC, they in turn tried to connect with a remote site -- which was shut down mid-day Tuesday -- to pull e-mail addresses to spam more computers.

That, said F-Secure, was another way that this latest attack differed from previous Bagle campaigns.

"These new Bagle variants are using a client/server architecture to spread," the company said in its advisory. "Normally Bagle variants search the local hard drive to find e-mail addresses to send itself to. [But] these new variants connect to a back-end server [that] then returns 50 unique email addresses that it generates using directory harvest techniques."

No new Bagle variants had been spotted as of mid-morning Wednesday (PST).