W32/Rbot-MC's backdoor functionality may allow a remote intruder to:
- Access webcam
- Capture screeenshot
- Steal CD keys related to various softwares
- Capture Windows login information on Windows NT/2000
- Access files on Host computer
- Send Email messages to other host
- Download/Upload/Execute files on host
- Run Keylogger
- Sniff network traffic and carry out DDOS on target
W32/Rbot-MC copies itself to the Windows system folder as firewallsp2.exe and creates entries in the registry at the following locations to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Firewall: "firewallsp2.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Firewall: "firewallsp2.exe"
When triggered, W32/Rbot-MC tries to set the following registry entry to disable DCOM:
HKLM\Software\Microsoft\OLE\EnableDCOM = "N"
W32/Rbot-MC tries to set the following registry entry to restrict access to the IPC$ share on the infected computer:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"