This worm spreads via the Internet in the form of an attachment to infected emails.
The worm itself is a PE EXE file of approximately 11KB, compressed using UPX. The size of the decompressed file is approximately 16KB.
Characteristics of infected messages:
Message header:
ID x... thanks
with x being a string of random characters.
Message text:
Yours ID x
--
Thank
with x being a string of random characters.
File Attachment:
The attachment has a random name, with a file size of 11KB.
Installation
Once launched, the worm copies itself to the Windows system directory using the filename 'au.exe' and registers this file in the system registry auto-run key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"au.exe" = "%system%\au.exe"
The worm attempts to connect to a number of remote sites, all of which are in some way connected with the Trojan proxy server TrojanProxy.Win32.Mitglieder On launching, the worm launches the Sound Recorder utility (sndrec32.exe)
Propagation
The worm searches for files with the following extensions: wab, txt, htm, html and sends itself to all email addresses found in these files. The worm uses its own SMTP server to send email.
Remote administration
The worm opens and monitors port 8866. A backdoor function means that commands can then be executed and files can be downloaded on the victim computer, with all of this being done from a remote location.
Further information
The worm is programmed to stop propagating after 25th February 2004.
http://www.avp.ch/avpve/worms/email/bagleb.stm
Bagle.B has been designed to spread highly effectively by e-mail. The
greatest danger however, lies in its ability to spoof the address of the
sender. This could lead to recipients of the infected message believing that
it has come from a reliable source and running the attached file which
actually contains the worm.
The rest of the message containing Bagle.B has the following
characteristics:
Subject:
ID <random text>... thanks
Message text:
Yours <random text>
--
Thank
The attachment itself has a name generated at random.
When it is run, Bagle.B creates a copy of itself under the name au.exe and
makes an entry in the Windows registry to ensure it is run on every system
start up.
Bagle.B has also been designed to update itself form certain web pages and
is programmed to cease its activity on February 25.
More information on Bagle.B is available from Panda Software's Virus
Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic