Bagle.AI arrives through inboxes with a subject line of “Re:” and a spoofed sending address. The body text and the name of the attachment is random.
The attachment has one of several file extensions, including .exe, .scr, .zip, .cpl and .com.
According to computer security firm McAfee Inc., the zip file is password-protected, in which case the body of the infected email includes a password, pass and key, all of which are random numbers.
The name of the attachment often contains the term MP3 in one form or another.
The Bagle.AI copies itself to the Windows System directory once it executes in a file named WinXP.exe and opens TCP port 1080 and UDP port 1040.
The worm uses these ports to communicate with its creator and report back each time it infects a new machine, Santa Clara, Calif.-based McAfee says.
It is the fourth variant of the family to be released since Thursday, when the Bagle.AF variant appeared on the Internet.