W32/Sdbot-SK is a Windows worm that contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels while running in the background.
When run W32/Sdbot-SK copies itself to the Windows system folder as Xfsa.exe.
The worm also creates the following registry entries so that it is able to run on computer logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Depassx
Xfsa.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Depassx
Xfsa.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Depassx
Xfsa.exe
W32/Sdbot-SK can also be dropped by another Windows Trojan, Troj/Multi-BF, which persists as the filename respond.exe. The worm attempts to spread to network shares using the Trojan filename respond.exe.
W32/Sdbot-SK will try to particpate in denial-of-service (DoS) attacks and download and run files from the internet when instructed to do so by a remote attacker.