W32/Bagle.A@mm

The worm sets up a thread on port 6777, listening for incoming connections. It is likely that this is a part of some update functionality.

There is a list of web addresses in the worm body:

http://www.elrasshop.de/1.php
http://www.it-msc.de/1.php
http://www.getyourfree.net/1.php
http://www.dmdesign.de/1.php
http://64.176.228.13/1.php
http://www.leonzernitsky.com/1.php
http://216.98.136.248/1.php
http://216.98.134.247/1.php
http://www.cdromca.com/1.php
http://www.kunst-in-templin.de/1.php
http://vipweb.ru/1.php
http://antol-co.ru/1.php
http://www.bags-dostavka.mags.ru/1.php
http://www.5x12.ru/1.php
http://bose-audio.net/1.php
http://www.sttngdata.de/1.php
http://wh9.tu-dresden.de/1.php
http://www.micronuke.net/1.php
http://www.stadthagen.org/1.php
http://www.beasty-cars.de/1.php
http://www.polohexe.de/1.php
http://www.bino88.de/1.php
http://www.grefrathpaenz.de/1.php
http://www.bhamidy.de/1.php
http://www.mystic-vws.de/1.php
http://www.auto-hobby-essen.de/1.php
http://www.polozicke.de/1.php
http://www.twr-music.de/1.php
http://www.sc-erbendorf.de/1.php
http://www.montania.de/1.php
http://www.medi-martin.de/1.php
http://vvcgn.de/1.php
http://www.ballonfoto.com/1.php
http://www.marder-gmbh.de/1.php
http://www.dvd-filme.com/1.php
http://www.smeangol.com/1.php

The worm will attempt to contact these sites with parameters describing port number it listens to and the user ID (which is a random string). The mentioned php script is however not present at any of the tested sites.