W32/Sdbot-ADQ is a network worm with backdoor Trojan functionality for the Windows platform.
When first run, W32/Sdbot-ADQ copies itself to the Windows system folder as lock1.exe and creates the following registry entries in order to run each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
strtas
"lock1.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
strtas
"lock1.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
strtas
"lock1.exe"
The worm spreads through network shares protected by weak passwords and through various operating system vulnerabilities.
W32/Sdbot-ADQ connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-ADQ can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
W32/Sdbot-ADQ creates the file msdirectx.sys in the Windows system folder. The msdirectx.sys file is detected by Sophos's Anti-Virus products as Troj/NtRootK-F.