W32/Sdbot-DIV is a network worm with IRC backdoor functionality.
When first run W32/Sdbot-DIV copies itself to <Windows>\ccSvcHst.exe and creates the file <Windows>\Dance_dec_jpg.zip.
The following registry entry is created to run ccSvcHst.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccSvcHst.exe
<Windows>\ccSvcHst.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
!
<pathname of the worm executable>