It opens a TCP, it ends processes belonging to antivirus update programs, among others, and it attempts to download a fake JPG file from several websites. It spreads via email and through P2P programs.

Windows XP/2000/NT/ME/98/95

Bagle.AM is a worm that opens a TCP port and listens to it, allowing remote access to the affected computer. It also ends processes belonging to several antivirus update programs, among other applications, and it attempts to download a fake JPG file from several websites.

Bagle.AM spreads via email, in a message containing an attached file with a random name and a ZIP extension. This file contains an HTML file and a hidden EXE file, which is run when the user opens the HTML file.

Additionally, Bagle.AM also spreads through peer-to-peer (P2P) file sharing programs.

Bagle.AM is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

However, when Bagle.AM spreads via email, it reaches the computer in a message with the following characteristics:

• Subject: it is empty.
• Message:
  new price
• Attachments:
  The attached file has a random name and a ZIP extension, which contains an HTML file and a hidden EXE file.