W32/Sdbot-UD is a worm with backdoor Trojan functionality.
W32/Sdbot-UD spreads to computers on the local network protected by weak passwords.
When first run, W32/Sdbot-UD copies itself to the Windows system folder as BUFFER32.EXE and runs this copy of the worm. In order to run each time a user logs on, W32/Sdbot-UD will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Buffer Application
buffer32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Buffer Application
buffer32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
System Buffer Application
buffer32.exe
The worm runs continuously in the background providing backdoor access to the infected computer over IRC channels.
The backdoor component can be used to:
Initiate distributed denial-of-service (DDOS) attacks.
Redirect TCP and SOCKS traffic.
Send emails as specified by the remote user.
Steal product keys from popular games.
Delete the C$, D$, IPC$ and ADMIN$ shares.
Port scan other computers.
Download and run executable files.
W32/Sdbot-UD can alter the following registry entry in order to enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM