W32/Sdbot-QA is a worm that attempts to spread via remote network shares. The worm tries to access various network computers with shared folders using weak passwords.
W32/Sdbot-QA contains backdoor Trojan functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
When run W32/Sdbot-QA copies itself to the Windows system folder as fbsfsdrs.exe.
The worm also creates the following registry entries so that it is able to run on user logon or computer startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
dvsfss = fbsfsdrs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
dvsfss = fbsfsdrs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
dvsfss = fbsfsdrs.exe
W32/Sdbot-QA will attempt to delete network shares, partake in DoS attacks, allow remote HTTP requests, download and run files from the internet when instructed to do so by a remote attacker.
Sophos anti-virus products since version 3.84 have been capable of detecting this worm as W32/Sdbot-Fam without requiring an update.