Fingerd reads in an argument string, sends the argument to the target machine, and then returns a response. Quite trivial. However, the function uses the C command gets() to receive this input. In a trivial oversight by the writers of fingerd, the function has no protection against overwriting the buffer into which it reads the argument string.
The Worm takes advantage of this and calls fingerd with a 536 character argument. This overwrites the 512 character buffer of the fingerd function. The additional 24 characters end up overwriting the system stack, which controls what functions are called next opening up command interpreter which the worm then uses to pull itself the target system.
If the attempt fails, control returns to infect, which then calls the try_sendmail routine.