Additional Details
The Bagle.M's file is a PE executable about 14336 bytes in size packed with UPX file compressor.
When it is run, it copies itself as SYSWRUN4X.EXE file to Windows System folder and creates a startup key for this file in the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"usrgtway.exe" = "%winsysdir%\SYSWRUN4X.EXE"
where %winsysdir% represents Windows System folder name.
Then Bagle.M drops 2 more files into Windows System folder: WINDLLZUP.EXE and BGXTDLL.EXE. Both files are DLLs (Dynamic Link Libraries). The WINDLLZUP.EXE is a loader for BGXTDLL.EXE file. It allows both files to become DLLs used by EXPLORER.EXE file (one of the main Windows components).
The BGXTDLL.EXE file is a new variant of Mitglieder proxy trojan. When activated, it generates a random number for its port (this number is always larger than 2000), listens for remote commands and works as a mail relay. The trojan connects to 2 sites in .INFO domain to report user's IP address and proxy port. Also the trojan connects to 2 sites to download a list of banned IP addresses that the proxy will ignore.
Additionally, the trojan tries to kill the processes that belongs to certain anti-virus and security software.
The description of a previous Mitglieder proxy trojan can be found here:
http://www.f-secure.com/v-descs/mitglieder_h.shtml