W32/Sdbot-UJ is a worm which attempts to spread to remote network shares. The worm also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected system via IRC channels while running in the background as a service process.
W32/Sdbot-UJ attempts to drop and run two files in the following locations:
C:\WINNT\SYSTEM32\hiqoh.exe
C:\WINNT\SYSTEM32\vuhiry.exe
The latter file is the main component of W32/Sdbot-UJ. The former file is the backdoor Trojan Troj/Ranck-CF.
The file dropped as HIQOH.EXE copies itself to the Windows system folder as ILUPUPAC.EXE and creates the following registry entries in order to run on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reluvage
ilulupac.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reluvage
ilulupac.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reluvage
ilulupac.exe
W32/Sdbot-UJ spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user, spreading by copying the file ECOVA.EXE from the Windows system folder (which should be the original W32/Sdbot-UJ dropper file) to the remote machine.