W32/Rbot-MH is a worm with backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process. W32/Rbot-MH may attempt send itself by DCC as a result of receiving the appropriate command from a remote user.
W32/Rbot-MH copies itself to the Windows system folder as nortonswap.exe or with a random name and creates entries in the registry at the following locations to run itself on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Norton Swap Cleaner = "nortonswap.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Norton Swap Cleaner = "nortonswap.exe"
The worm also sets the following registry entry:
HKCU\Software\Microsoft\OLE\
Norton Swap Cleaner = "nortonswap.exe"
The backdoor functionality of the worm may include providing a remote command shell, stealing keys for various software and the ability to participate in DDOS attacks.