W32/Rbot-PV is an IRC backdoor worm.
W32/Rbot-PV may spread to remote network shares. The worm also contains backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
When run W32/Rbot-PV may perform either of the following 2 actions:
The worm moves itself to the Windows system folder as enotxa2.exe or f0mered.exe. W32/Rbot-PV also creates one of the two following sets of registry entries so as to run itself on user logon or computer restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Start aThe Roll
enotxa2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Start aThe Roll
enotxa2.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Start aThe Roll
enotxa2.exe
Or:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Start aThx Roll
f0mered.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Start aThx Roll
f0mered.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Start aThx Roll
f0mered.exe
W32/Rbot-PV also sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
"N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
"1"
W32/Rbot-PV may delete network shares. W32/Rbot-PV may also attempt to log keypresses, participate in DDoS attacks and steal keys for various games.