Here is an example of a registry key which is set by Rbots.

HKCU\Software\Microsoft\OLE\Microsoft Update 32 = "<filename>"

Now this is not one of the common registry runkeys, so when does the file actually get executed?

At a complete guess, when you run Windows Update or perhaps when Auto Updates go to work?

HKCU\Software\Microsoft\OLE\<any string value>\<data>

Its not specific to windows update, i just meant that as an example. That is just a generated string value. Cheers tho.

So do you know yourself?

I could hazard at another guess, but I think I'll leave it for somebody who actually knows

If i knew i wudnt b asking. Is any1 able to tell me for sure? Google aint much help with this one.

Ok, heres some more details:

http://msdn.microsoft.com/library/default....0a490390426.asp

As can be seen there are default named values. But it doesnt mention anything about putting in your own keys and getting files to execute. Has this key be used incorrectly
by the author of the Rbot in belief that it actually executes?

that key was in rbot to disable dcom (the EnableDCOM setting) as part of the secure function, some idiot that got ahold of the bot probably didnt know what he was doing and thought it was another autostart key

Yeah, ive been looking for info for a bit now and I cant see any reason why someone would set a key like it. I just found it strange because it has also set the "EnableDCOM" to 'N'. Like u say tho, it probably is someone who hasnt got a clue what they are doing, certainly makes the most sense as i cant find any other answer to why this would be done unless it was to be used as an infection marker (again would be a strange thing to do tho as it would not be very subtle but its a possibility).
Cheers.