W32/Rbot-FP is a worm for the Windows platform that also has backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-FP spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate commands from a remote user.
W32/Rbot-FP copies itself to the Windows system folder as winupdt.EXE and creates entries at the following locations in the registry so as to run itself on system startup,
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Machine=winupdt.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Machine=winupdt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Machine=winupdt.exe.
W32/Rbot-FP will also set the registry entries below:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM="N"
HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous=dword:00000001
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=
dword:00000001
W32/Rbot-FP will try and delete network shares on the infected system and will terminate running processes related to anti-virus, computer security and system administration that could potentially be used to remove W32/Rbot-FP from the infected system.