W32/Rbot-JU is a worm which attempts to spread to remote network shares and allows unauthorised remote access to the computer via IRC channels.
W32/Rbot-JU spreads to network shares with weak passwords and via network security exploits as a result of the backdoor element receiving the appropriate command from a remote attacker.
W32/Rbot-JU copies itself to the file msm32.exe in the Windows system folder and creates entries at the following locations in the registry so that the worm is run when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Protection Subsystems = "msm32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Protection Subsystems = "msm32.exe"
The following registry may also be created:
HKCU\Software\Microsoft\OLE\
Microsoft Protection Subsystems = "msm32.exe"