W32/Bagle-A is a worm that sends itself to addresses harvested from files on the hard disk. The worm spoofs the "From" field in emails it sends, which means that it may appear to have come from someone you know.
W32/Bagle-A arrives in an email with the following characteristics:
Subject line: Hi
Attached file: <random name>.exe
The attached file may appear as a calculator icon. The worm deliberately launches the Calculator application as a disguise.
W32/Bagle-A copies itself to bbeagle.exe in the Windows system folder and sets the following registry entry to ensure the worm is run at logon:
The worm also sets the following registry entries:
W32/Bagle-A includes a backdoor component which listens on TCP port 6777. This allows an attacker to upload and execute arbitrary programs on infected computers.
Note that W32/Bagle-A will not activate if the system date is 28 January 2004 or later.