W32/Sdbot-ZU is a network worm with backdoor functionality for the Windows platform which allows a remote intruder to access and control the computer via IRC channels.
The backdoor component joins a specific channel on an IRC server and then runs continuously in the background as a service process, listening on the IRC channel for specific commands and carrying out the appropriate actions.
The worm will attempt to spread through network shares protected by weak passwords.
The worm copies itself to a file named svxhost.exe in the Windows system folder and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Synchronization Manager
svxhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Synchronization Manager
svxhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Synchronization Manager
svxhost.exe