W32/Sdbot-ABB is a network worm and IRC backdoor Trojan for the Windows platform.
When first run W32/Sdbot-ABB copies itself to the Windows system folder as nmod.exe.
W32/Sdbot-ABB creates the following registry entries in order to run on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Document Application = "nmod.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
System Document Application = "nmod.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Document Application = "nmod.exe"
The worm spreads through network shares protected by weak passwords.
The backdoor component of W32/Sdbot-ABB joins an IRC channel and awaits commands from a remote user. W32/Sdbot-ABB can then be instructed to perform tasks such as:
taking part in distributed denial of service (DDoS) attacks
downloading/executing arbitrary files
scanning networks for vulnerabilities
stealing product registration keys for certain software
sending email