W32.Janx


Aliases: Backdoor.Win32.Jix.a, Exploit-MS04-011.gen, WORM_JANZ.A, Worm/Zusha.A, Exploit.MS04-011 
Variants: W32/Janx.A.worm 

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 13 Feb 2007
Damage: Medium

Characteristics: The malware W32.Janx is an IRC worm. This type of worm targets chat channels as its main method of propagation. It is also capable of propagating via sending URLs to websites with infected links or infected files to the user’s contact list found in the compromised machine. However, this worm prefers to infect computers via infected links since infected files have to be saved and then executed before the malware can fully infect the target machine.

More details about W32.Janx

The W32.Janx worm will try to take advantage of the Microsoft LSASS or (Local Security Authority Subsystem Service) Buffer Overrun Vulnerability. It can propagate by arbitrarily scanning IP addresses for susceptible machines. It can likewise connect to an IRC server and wait in the background for instructions from its remote master on what actions to perform on the sytsem. There is a buffer overrun in LSASS that can inadvertently permit the running of remote codes on the compromised system. A remote hacker who can effectively take advantage of the LSASS vulnerability can take full control of the infected computer system. Once run in the computer, the W32.Janx worm will copy itself as one of 3 EXE files. It will likewise create a fake WUClient Service with the display name Windows Update Client.

This malware then runs an FTP server on the 5533 TCP port which will be used by the worm for spreading to other vulnerable hosts. Next, it will try connecting to randomly generated IP addresses on the 445 TCP port. Once connected, it will start sending a shellcode which might cause the host to execute a remote shell on the 5534 TCP port. This same shell will be likewise used by the worm for connecting back to port 5533’s FTP server and for downloading a copy of its code. Next, it will connect to the 203.167.78.35 IRC server to await instructions.