|Place of Origin||Brno, Czech Republic|
|Infection Length||20,480 bytes|
Xtc is a worm coded by Benny. It appeared in the 5th issue of the 29A magazine. It listens for commands on an IRC channel, essentially giving it control over the host machine.
Xtc arrives in an email with a subject of "AVX update notification". It will appear to come from firstname.lastname@example.org. The worm will be the attachment Services.exe.
The text of the email is:
Hi, We would like to notify you about the newest software designed by SOFTWIN company. This program constantly monitors the net for the newest viral treats and anti-virus databases. In the case some new virus is in-the-wild, it will immediatelly ask you to download the newest version of AntiVirus eXpert 2000 (AVX). It's small, it's efficent, it's secure and powerful. No special licence is needed, it's freeware. We hope you enjoy AntiVirus eXpert and share it with your friends. Best regards, AVX developement team ---
The worm uses a random username to connect to eu.undernet.org. It joins the channel #xtcdan channel and listens for commands. These commands can come from a human joining the channel or another copy of the worm. It will also check the channel for other worms and update them if they are out of date.
The list of commands Xtc can respond to, and what they do, are as follows:
- update writes the current version of the worm to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\XTCUpdate. It then connects to an FTP server to download and execute the file xtcspawn.exe. It then terminates itself to allow updating.
- whois responds if the machine at the specified IP is infected.
- ver returns the current version of the worm.
- password logs on to the worm, enables the user on the channel to send commands.
- nopassword logs off the worm.
- dos launches denial of service attack against a specified address.
- stopdos ends the DOS attack.
- spreadon starts spreading by email.
- spreadoff stops spreading by email.
- spreadto sends itself to a specified email address.
- lanspread copies itself as internat.exe into the startup directory of host, and as taskmgr.exe in all drives from C to Z in Windows versions from 95 to XP.
- reconnect terminates and restarts the worm.
- exitprocess terminates the worm.
- reboot reboots machine.
- pwd sends the current working directory to the IRC channel.
- cd changes the current directory.
- dir lists files on the current directory.
- md creates a directory on the host.
- rd removes directory, will not work if the directory has files in it.
- copy copies specified file on host machine.
- move moves a specified file on the host machine.
- del deletes specified file.
- info sends "** I-Worm.XTC, written by Benny/29A. Variant" followed by a 4 digit version number.
- machine retrieves the host machine name.
- 1, DCC SEND accepts specified file via DCC
- sendme sends itself to IRC channel.
- update downloads file from specified URL and executes it
- leave removes worm registry keys, deletes worm file, and reboots Windows.
- mark Sets several Internet Explorer pages (Default Page, Default Search, Search Page, Start Page, What's New, and the Local Page) to point to http://www.therainforestsite.com.
- ircsend sends command to IRC channel from host machine.
- exec launches specified file on host machine.
- PING responds with PONG.
Symantec Security Response, W32.XTC.Worm.
Benny. 29A, Issue 5, Project XTC - I-Worm.XTC.