W32/Sdbot-XO is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
When run W32/Sdbot-XO copies itself to the Windows system folder as win32dll.exe.
The worm also creates the following registry entries so that it is able to run on user logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Services32 Startup
win32dll.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Services32 Startup
win32dll.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Services32 Startup
win32dll.exe
W32/Sdbot-XO spreads to network shares with weak passwords using the filename win32dll.exe.
W32/Sdbot-XO will attempt to steal CD game keys, partake in distributed denial-of-service (DDoS) attacks, download and run files from the internet and exploit vulnerabilities used by the MyDoom family of worms when instructed to do so by a remote attacker.