W32/Rbot-ABG is a worm which attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-ABG spreads to network shares with weak passwords as a result of the backdoor element receiving the appropriate command from a remote user.
W32/Rbot-ABG copies itself to the Windows system folder as ctupdclt.exe and creates entries at the following locations in the registry so as to run itself on system startup, resetting the entries in every 2 minutes:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CTUpdate
ctupdclt.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
CTUpdate
ctupdclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
CTUpdate
ctupdclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
CTUpdate
ctupdclt.exe
W32/Rbot-ABG tries to delete the I$ network shares on the host computer in
every 2 minutes.