W32/SqlCop.worm is a worm with keylogging capabilities. It can spread over removable media, creating the following files:

  • X:\Autorun.inf (this file is created at the root folder of each infected removable media to automatically execute the worm).
  • X:\copy.exe
  • X:\sqlserv.exe

    (Where X: is the drive letter of the removable media)

    Upon execution, the worm copies itself to the following files:

    C:\Documents and settings\All users\Application Data\copy.exe (first part of the worm)
    C:\Documents and settings\All users\Application Data\sqlserv.exe (second part of the worm containing keylogging capabilities)
    C:\Documents and settings\All users\Application Data\Autorun.inf

    Then it adds the following registry key.

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "sqlserv" = "C:\Documents and settings\All users\Application Data\sqlserv.exe"

    And the monitored keytrokes are stored in the following location if it exists:

    C:\Documents and settings\Guest\Templates\

    More information can be found at this McAfee page.