W32/Rbot-OO is an IRC backdoor Trojan and network worm.
W32/Rbot-OO may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised access to infected computers via the IRC network, while running in the background as a service process.
W32/Rbot-OO copies itself to the Windows system folder and creates the following registry entries to run automatically on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WindowsRegKey update = "rkbuouoxfl.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
WindowsRegKey update = "rkbuouoxfl.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
WindowsRegKey update = "rkbuouoxfl.exe"
W32/Rbot-OO also attempts to alter the following registry entries, if they are not already set:
HKLM\Software\Microsoft\Ole\EnableDCOM
HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous
W32/Rbot-OO can receive commands from a remote attacker to delete network shares, log keypresses, participate in DDoS attacks, steal registration keys for computer games and scan other computers for vulnerabilites.