W32/Sdbot-KD is a network worm with backdoor capabilities which allows a remote intruder to access and control the computer via IRC channels.
W32/Sdbot-KD spreads over a network by copying itself to the Windows system folder of C$ and Admin$ shares with weak passwords.
Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The worm then runs in the background as a server process listening for commands to execute.
When first run the worm copies itself to the Windows system folder as SPOOLSVC.EXE and creates the following registry entries so that the worm runs when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SPOOL Configuration = spoolsvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
SPOOL Configuration = spoolsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
SPOOL Configuration = spoolsvc.exe
W32/Sdbot-KD may also collect the CD keys of popular games that are installed on the computer.