This worm spreads via the Internet in the form of an attachment to infected emails.
The worm itself is a PE EXE file of approximately 11KB, compressed using UPX. The size of the decompressed file is approximately 16KB.

Characteristics of infected messages:

Message header:

ID x... thanks

with x being a string of random characters.
Message text:

Yours ID x
--
Thank

with x being a string of random characters.
File Attachment:
The attachment has a random name, with a file size of 11KB.

Installation
Once launched, the worm copies itself to the Windows system directory using the filename 'au.exe' and registers this file in the system registry auto-run key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"au.exe" = "%system%\au.exe"

The worm attempts to connect to a number of remote sites, all of which are in some way connected with the Trojan proxy server TrojanProxy.Win32.Mitglieder On launching, the worm launches the Sound Recorder utility (sndrec32.exe)
Propagation
The worm searches for files with the following extensions: wab, txt, htm, html and sends itself to all email addresses found in these files. The worm uses its own SMTP server to send email.
Remote administration
The worm opens and monitors port 8866. A backdoor function means that commands can then be executed and files can be downloaded on the victim computer, with all of this being done from a remote location.
Further information
The worm is programmed to stop propagating after 25th February 2004.

http://www.avp.ch/avpve/worms/email/bagleb.stm