W32/Rbot-JY is a worm which attempts to spread to remote network shares and allows unauthorised remote access to the computer via IRC channels.
W32/Rbot-JY spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-JY copies itself to the file winsys.exe in the Windows system folder and creates entries at the following locations in the registry so that the worm is run when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WindowsRegKey update = winsys.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WindowsRegKey update = winsys.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WindowsRegKey update = winsys.exe