W32/SdBot-EV is a worm that spreads via Windows fileshares.
In order to run automatically when Windows starts up the worm copies itself to the file svchosts11.exe in the Windows system folder and adds the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsong
W32/SdBot-EV attempts to exploit shares with weak administrator passwords in order to copy itself other computers on the network. The worm chooses an IP address at random and attempts to copy itself to the Windows system folder on the remote computer as microsong.exe.
The worm also contains a backdoor which listens for commands via IRC allowing a remote intruder to gain access and control over the computer.