W32/Sdbot-JE is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service process.
W32/Sdbot-JE drops two files to the folder C:\WinNT\system32. One is
dropped as GEGT.EXE and is also detected as W32/Sdbot-JE, the other is
dropped as HRTV.EXE and is detected as Troj/Ranck-S.
The file dropped as GEGT.EXE copies itself to a file called VCVW.EXE in
the Windows system folder and creates entries in the registry at the following
locations to run this copy on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Sdbot-JE spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a remote
user, spreading by copying the file GOGOGOD.EXE from the Windows system
folder (which should be the original W32/Sdbot-JE dropper file) to the remote
machine.