||||
Symantec.com > Security Response > Threats and Risks > W32.XTC.Worm
PRINT THIS PAGE

W32.XTC.Worm

Risk Level 1: Very Low

Printer Friendly Page

Updated: February 13, 2007 11:34:39 AM
Type: Worm


The worm connects to eu.undernet.org using a random username. It joins the #xtcdan channel and responds to private messages that contain commands that it recognizes. The worm also sends its version number and watches for other worms doing the same. If one worm has a later version number than another worm, the newer worm sends the update command to the older worm.

The worm recognizes the following commands:

update:
    Writes the current version of the worm to
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\XTCUpdate.

    It then connects via FTP to the supplied URL, downloads and executes xtcspawn.exe, and then terminates itself to allow updating.
ver:
    Returns the current version of the worm.

nopassword:
    Disables IRC commands until the correct password is sent via password command.

password:
    Enables worm behavior control.

dos:
    Initiates denial of service attack against the specified address.

spreadon:
    Enables MAPI spreading.

spreadoff:
    Disables MAPI spreading.

reconnect:
    Terminates and restarts the worm.

exitprocess:
    Terminates the worm.

pwd:
    Sends host current directory to IRC channel.

cd:
    Sets host current directory.

dir:
    Sends the name of every file and directory in host current directory that matches the specified mask.

md:
    Creates directory on host machine.

rd:
    Removes directory from host machine (fails if directory is not empty).

del:
    Deletes specified file from host current directory.

move:
    Moves the specified file on host machine.

info:
    Sends "** I-Worm.XTC, written by Benny/29A. Variant" followed by a 4 digit version number.

machine:
    Returns host machine name.

dcc send:
    Receives file from IRC channel.
sendme:
    Sends itself to IRC channel.

copy:
    Copies specified file on host machine.

leave:
    Removes worm registry keys, deletes worm file, and reboots Windows.

mark:
    Sets several Internet Explorer pages to point to http://www.therainforestsite.com.
    The pages are: Default Page, Default Search, Search Page, Start Page, What's New, and Local Page.

stopdos:
    Disables denial of service attack.

ircsend:
    Sends command to IRC channel from host machine.
exec:
    Launches specified file on host machine.

whois:
    Responds if the machine at the specified IP is infected.

lanspread:
    Copies itself as internat.exe into the startup directory of host, and as taskmgr.exe in all drives from C to Z in Windows, Winnt, Win95, Win98, Win2000, Win2k, and WinME directory.

reboot:
    Reboots machine.

spreadto:
    Sends worm by mail to specified address.

PING:
    Responds with PONG.

When MAPI spreading is initiated by the spreadon command, the worm searches the Temporary Internet Files folder for *.*htm* files, scans those files for mailto: text (email addresses), and then attempts to send mail to those addresses. The mail to the addressees appears to come from support@avx.com with the following text:
    subject: AVX update notification

    Hi,
    We would like to notify you about the newest software designed by SOFTWIN company. This program constantly monitors the net for the newest viral treats and anti-virus databases. In the case some new virus is in-the-wild, it will immediatelly ask you to download the newest version of AntiVirus eXpert 2000 (AVX). It's small, it's efficent, it's secure and powerful. No special licence is needed, it's freeware. We hope you enjoy AntiVirus eXpert and share it with your friends.
    Best regards,
    AVX developement team
    ---

The spelling mistakes appear in the original text. The worm is attached to the email.
This worm is compressed and encrypted with the same wrapper as WNT.Energy.Worm.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Peter Ferrie
Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS