W32/Rbot-IF is a worm which attempts to spread to remote network shares. The worm also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background.
W32/Rbot-IF copies itself to the Windows system folder as ANTIVIRUS.EXE and creates the following registry entries to run itself on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
AntiVirus Update = antivirus.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
AntiVirus Update = antivirus.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
AntiVirus Update = antivirus.exe
W32/Rbot-IF may modify the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = 1
W32/Rbot-IF may attempt to delete the network shares on the host computer.