W32/Sdbot-PO is a network worm and backdoor for the Windows platform. The worm spreads to shared folders with weak passwords.
The backdoor component connects to a predefined IRC server and waits for commands from a remote attacker.
When run W32/Sdbot-PO copies itself to the Windows system folder as fddwqt.exe. The worm ensures that the copy is run each time Windows starts by adding the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
msjdqs = fddwqt.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
msjdqs = fddwqt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
msjdqs = fddwqt.exe
The backdoor component allows a remote attacker to:
transfer files to and from the infected computer
steal CD keys for certain game software
use the infected computer as a proxy server
launch distributed denial of service attacks
Sophos anti-virus products since version 3.84 have been capable of detecting this worm as W32/Sdbot-Fam without requiring an update.