W32/RBot-A is a worm with a backdoor component that spreads on weakly protected network shares on the Windows platform. The worm spreads by scanning random IP addresses for open SMB ports (445) and trying to copy itself to the Windows system folder on the remote Admin$ and C$ shares as the file wuamgrd.exe.
W32/RBot-A uses an internal dictionary of common passwords to gain access. The worm attempts to schedule the copied file for later execution on the remote machine.
W32/RBot-A also has a backdoor component that allows a malicious user remote access to an infected computer. When run the worm attempts to contact a remote IRC server and join a specific channel to listen for commands.
Besides the capability to spread W32/RBot-A also allows the remote user to set up a proxy server, start a HTTP server on a user specified port, collect system information, add or delete shares and users, kill processes, download and execute files, send email, remotely control a connected web cam, sniff network traffic or launch a denial-of-service attack against a user specified target.
In order to run automatically when Windows starts up W32/RBot-A copies itself to the file wuamgrd.exe in the Windows system folder and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wuamgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Update = wuamgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = wuamgrd.exe
HKU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wuamgrd.exe
HKU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Update = wuamgrd.exe
The worm also creates the log file \debug.txt.