W32/Sdbot-MV

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Sdbot-MV is an IRC backdoor Trojan and network worm.

W32/Sdbot-MV copies itself to network shares protected by weak passwords.

When first run W32/Sdbot-MV copies itself to the Windows system folder as alien.exe and creates the following registry entries to ensure it is run at system logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Synchronization Manager = alien.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Synchronization Manager = alien.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Synchronization Manager = alien.exe

Each time W32/Sdbot-MV is run it attempts to connect to a remote IRC server
and join a specific channel. The worm then runs in the background allowing a remote intruder to issue commands which control the computer via IRC channels.
Commands include downloading and executing remote files.

The worm also logs keystrokes to the file keylog.txt created in the Windows system folder. This file is not malicious and can be deleted.