How it works
For e-mail, the worm will use a different set of subject and body texts, depending on whether the attachment includes a password-protected ZIP file. In file sharing, Bagle.af scans network files looking for folders with the letters shar, then copies itself using the names of popular software as its filename. Once executed, Bagle.af copies itself into the Windows System directory as:

C:\WINNT\SYSTEM32\sysxp.exe
C:\WINNT\SYSTEM32\sysxp.exeopen
C:\WINNT\SYSTEM32\sysxp.exeopenopen

It also creates the following Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "key" = "C:\WINNT\SYSTEM32\sysxp.exe"

Bagle.af opens TCP port 1080 and attempts to connect to more than 140 compromised computers around the world to download additional code. The compromised backdoors are password protected, so only the virus author and his or her agents can access Bagle.af-infected machines. It is suspected that Bagle-infected computers are being used to relay spam worldwide.

Prevention
Variations of the Bagle worm do not rely on a specific Microsoft vulnerability, but simple social engineering. Remember to never open attached e-mail files without first saving to the hard drive and scanning for known viruses. The latest signature file from your antivirus vendor should protect you against these Bagle variations. Additionally, the use of a personal firewall will prevent the backdoor Trojan from communicating with the virus author.

Removal
Several antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.