W32/Rbot-CF is a backdoor Trojan and network worm that allows unauthorised
remote access to the infected computer via IRC channels while running in the
background as a service process.
In order to run automatically when Windows starts up the worm copies
itself to the file UKENME.EXE in the Windows system folder
and adds the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Task Manager-Emulator = ukenme.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Task Manager-Emulator = ukenme.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Task Manager-Emulator = ukenme.exe
The worm attempts to copy itself to the Windows system folder as GT.EXE on
weakly protected network shares.