W32/Rbot-GV spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-GV copies itself to the Windows system folder as winsys.exe and creates registry entries called Microsoft Update under the following entries so as to run itself on system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = winsys.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = winsys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = winsys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = winsys.exe
W32/Rbot-GV may also log information to C:\Debug.txt. It will also attempt to steal CD keys related to various software and may be used to carry out DDOS attacks.