W32/Sdbot-MS is an IRC backdoor Trojan and network worm.
W32/Sdbot-MS copies itself to network shares protected by weak passwords.
When first run W32/Sdbot-MS copies itself to the Windows system folder as spoolserv.exe and creates the following registry entries to ensure it is run at system logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
reggsdg = spoolserv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
reggsdg = spoolserv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
reggsdg = spoolserv.exe
Each time W32/Sdbot-MS is run it attempts to connect to a remote IRC server
and join a specific channel. The worm then runs in the background allowing a remote intruder to issue commands which control the computer via IRC channels.