W32/Sdbot-OM

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Sdbot-OM is a network worm and backdoor Trojan. The worm spreads by copying itself to network shares that have weak passwords.

W32/Sdbot-OM creates a copy of itself named MICROSOFT.EXE in the Windows system folder and adds the following registry entries to ensure that the copy is run each time the computer restarts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Synchronization Manager = microsoft.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Synchronization Manager = microsoft.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Synchronization Manager = microsoft.exe

W32/Sdbot-OM maintains a log of the user's keystrokes in a file in the Windows system folder.

The backdoor component of the worm attempts to connect to an IRC server and awaits commands from a remote attacker.