W32/Sdbot-YR is a worm and IRC backdoor Trojan for the Windows platform which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-YR spreads to other network computers infected with Troj/Kuang, Troj/Sub7, Troj/NetDevil and W32/MyDoom and by copying itself to network shares protected by weak passwords.
W32/Sdbot-YR includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
- change security settings
When first run W32/Sdbot-YR copies itself to <System>\svhost.exe and creates the file <System>\ntfsdi.dll. ntfsdi.dll is a non-malicious file and may be deleted.
The following registry entries are created to run SVHOST.EXE on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Synchronization Manager
svhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Synchronization Manager
svhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Synchronization Manager
svhost.exe