W32/Sdbot-RP is a member of the W32/Sdbot family of worms. It is a network worm and IRC backdoor Trojan for the Windows platform.
The worm can spread to ADMIN$ and C$ network shares with weak usernames and
passwords, and spreads over a network as a file named PengnMSN.exe.
When first run W32/Sdbot-RP copies itself to the Windows system folder with the name sdaxzl.exe. In order to run on system start the worm creates the following registry entries:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
vccacA
sdaxzl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
vccacA
sdaxzl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
vccacA
sdaxzl.exe
W32/Sdbot-RP connects to an IRC server and joins a particular channel, providing unauthorised access and control of the computer from an IRC channel. The worm can be instructed to upload/download files and execute arbitrary commands.