W32/Rbot-BH is a member of the W32/RBot family of worms with backdoor
capabilities.
In order to run automatically when Windows starts up the worm copies
itself to the file winscv.exe in the Windows system folder and adds the following
registry entries pointing to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update
When run the worm attempts to connect to a remote IRC server. This connection
is used as a control channel that allows a malicious user access to the
infected computer.