W32/Rbot-ACL is a worm which attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-ACL spreads to network shares with weak passwords as a result of the backdoor element receiving the appropriate command from a remote user.
W32/Rbot-ACL copies itself to the Windows System32 folder as WinGuard.exe and creates entries in the registry at the following locations to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
WinGuard.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MS Unix Binary
WinGuard.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
WinGuard.exe