McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.XTC

• W32.XTC.Worm

• W32/Xtc

Characteristics

This is a mass mailing Internet worm and backdoor trojan which is also capable of spreading via open local network shares. It arrives as an encrypted and compressed executable. Internet Relay Chat and the FTP protocol are utilized for receiving updates, allowing this worm to evolve beyond its current state. It may be received as an email attachment containing the following information:

From: support@avx.com
Subject: AVX update notification
Body:

"Hi, We would like to notify you about the newest software designed by SOFTWIN company. This program constantly monitors the net for the newest viral treats and anti-virus databases. In the case some new virus is in-the-wild, it will immediatelly ask you to download the newest version of AntiVirus eXpert 2000 (AVX). It's small, it's efficent, it's secure and powerful. No special licence is needed, it's freeware. We hope you enjoy AntiVirus eXpert and share it with your friends.

Best regards,
AVX developement team."

Attachment: SERVICES.EXE

Executing the attachment infects your computer.

Symptoms

- Complaints by infected users that you sent them the Internet worm
- Altered default startup and search pages in Internet Explorer
- Presence of the registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\XTCUpdate=C:\WINDOWS\SERVICES.EXE

Method of Infection

When ran this worm performs the following tasks:

- Checks for the presence of anti-debugging software. If such a program is found, the program halts and an ERROR message is displayed.
- Creates the file, SERVICES.EXE in your WINDOWS directory.
- On Windows 9x/ME the following registry key value is created:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\XTCUpdate=C:\WINDOWS\SERVICES.EXE

The Worm is also capable of performing these additional tasks:

- Mass mailing itself to email addresses found in .HTML files contained in your "Temporary Internet Files" directory
- Spreading via open shares on the local area network
- Altering the default startup and search pages of Internet Explorer
- Connecting to the Undernet IRC server and join channels where the author can take control over the victims computer and perform the following tasks:

- Initiate a DDoS attack
- Mail the worm to a specific email address
- Uninstall the worm
- Download files and execute them
- Run IRC commands
- Change the default startup page in Internet Explorer
- Retrieve the machine name of the victims computer
- Create and delete directories and files
- Launch a program

Removal

All Users:

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.XTC

• W32.XTC.Worm

• W32/Xtc

Characteristics

Characteristics -

This is a mass mailing Internet worm and backdoor trojan which is also capable of spreading via open local network shares. It arrives as an encrypted and compressed executable. Internet Relay Chat and the FTP protocol are utilized for receiving updates, allowing this worm to evolve beyond its current state. It may be received as an email attachment containing the following information:

From: support@avx.com
Subject: AVX update notification
Body:

"Hi, We would like to notify you about the newest software designed by SOFTWIN company. This program constantly monitors the net for the newest viral treats and anti-virus databases. In the case some new virus is in-the-wild, it will immediatelly ask you to download the newest version of AntiVirus eXpert 2000 (AVX). It's small, it's efficent, it's secure and powerful. No special licence is needed, it's freeware. We hope you enjoy AntiVirus eXpert and share it with your friends.

Best regards,
AVX developement team."

Attachment: SERVICES.EXE

Executing the attachment infects your computer.

Symptoms

Symptoms -

- Complaints by infected users that you sent them the Internet worm
- Altered default startup and search pages in Internet Explorer
- Presence of the registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\XTCUpdate=C:\WINDOWS\SERVICES.EXE

Method of Infection

Method of Infection -

When ran this worm performs the following tasks:

- Checks for the presence of anti-debugging software. If such a program is found, the program halts and an ERROR message is displayed.
- Creates the file, SERVICES.EXE in your WINDOWS directory.
- On Windows 9x/ME the following registry key value is created:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\XTCUpdate=C:\WINDOWS\SERVICES.EXE

The Worm is also capable of performing these additional tasks:

- Mass mailing itself to email addresses found in .HTML files contained in your "Temporary Internet Files" directory
- Spreading via open shares on the local area network
- Altering the default startup and search pages of Internet Explorer
- Connecting to the Undernet IRC server and join channels where the author can take control over the victims computer and perform the following tasks:

- Initiate a DDoS attack
- Mail the worm to a specific email address
- Uninstall the worm
- Download files and execute them
- Run IRC commands
- Change the default startup page in Internet Explorer
- Retrieve the machine name of the victims computer
- Create and delete directories and files
- Launch a program

Removal -

Removal -

All Users:

Variants

Variants -

N/A