W32/Rbot-LA's backdoor functionalty may allows remote intruder to:
access webcam
capture screeenshot
steal CD keys related to various softwares
capture Windows login information on Windows NT/2000
access files on Host computer
send Email messages to other host
download/Upload/Execute files on host
run a keylogger
sniff network traffic and carry out DDOS on target
W32/Rbot-LA copies itself to the Windows system folder as regscan32.exe and creates entries in the registry at the following locations to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Registry Scan = "regscan32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Registry Scan = "regscan32.exe"
When triggered, W32/Rbot-LA tries to set the following registry entry to disable DCOM:
HKLM\Software\Microsoft\OLE\EnableDCOM = "N"
W32/Rbot-LA tries to set the following registry entry to restrict access to the IPC$ share on the infected computer:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"