W32/Sdbot-RC is a network worm and IRC backdoor Trojan for the Windows platform.
When first run W32/Sdbot-RC copies itself to the Windows system folder with the name mysaym.exe. In order to run on system start the worm creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Dontworry = "mysaym.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Dontworry = "mysaym.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Dontworry = "mysaym.exe"
W32/Sdbot-RC spreads through network shares protected by weak passwords. The worm uses the filename mightsay.exe when spreading through the network.
The backdoor component joins an IRC channel and awaits instructions from a remote user. The backdoor component can then be instructed to:
collect file system information
start a keylogger
download and execute arbitrary files
route HTTP traffic
start a port scanner
take part in distributed denial of service (DDoS) attacks
start/stop processes and services