W32/Sdbot-TR is an IRC backdoor Trojan and network worm.
W32/Sdbot-TR copies itself to network shares protected by weak passwords.
When first run W32/Sdbot-TR copies itself to the Windows system folder as InfoNT.exe and creates the following registry entries to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Synchronization Manager
InfoNT.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Synchronization Manager
InfoNT.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Synchronization Manager
InfoNT.exe
Each time W32/Sdbot-TR is run it attempts to connect to a remote IRC server and join a specific channel. The worm then runs in the background allowing a remote intruder to issue commands which control the computer via IRC channels. Commands include downloading and executing remote files.
The worm also logs keystrokes to the file keylog.txt created in the Windows system folder. This file is not malicious and can be deleted.