W32/Sdbot-ZL is a worm with backdoor functionality for the Windows platform.
W32/Sdbot-ZL attempts to spread to weakly protected network shares. The worm will try to copy itself to the following shares, and subfolders, as a file named botexe.exe:
Admin$
Admin$\system32
ipc$
ipc$\system32
print$
print$\system32
c$
c$\winnt\system32
d$
e$
lwc$
SYSVOL
profiles$
When first run W32/Sdbot-ZL copies itself to <Windows system folder>\proxy.exe.
The following registry entries are created to run proxy.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DLL Services Configuration
proxy.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DLL Services Configuration
proxy.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows DLL Services Configuration
proxy.exe
W32/Sdbot-ZL can be instructed to:
Scan for remote computers to spread to
Steal product keys
Download and execute files