W32/Sdbot-ACR is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-ACR spreads to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil and W32/MyDoom.
W32/Sdbot-ACR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Sdbot-ACR copies itself to <System>\yhn.exe and creates the file <System>\keylog.txt.
W32/Sdbot-ACR logs user keystrokes to <System>\keylog.txt. This file is not malicious and can simply be deleted.
The following registry entries are created to run yhn.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Winamp Update
yhn.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Winamp Update
yhn.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Winamp Update
yhn.exe