W32/Rbot-ADV is a worm which attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorized remote access to the infected computer via IRC channels.
W32/Rbot-ADV spreads to network shares with weak passwords and via network security exploits as a result of the backdoor element receiving the appropriate command from a remote user.
W32/Rbot-ADV copies itself to the Windows system folder with the filename SystemDll.exe and creates entries at the following locations in the registry with the value "Microsoft DLL Extensions" so as to run itself on system startup, resetting these values every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-ADV attempts to set the following registry entries every 2 minutes:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1
W32/Rbot-ADV attempts to delete network shares on the host computer every 2 minutes.
W32/Rbot-ADV attempts to terminate a large number of processes related to security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and NETSTAT.EXE.
W32/Rbot-ADV may attempt to log keystrokes to the file KEYS.TXT in the Windows system folder.