The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1


Detected Nov 02 2009 04:35 GMT
Released Nov 02 2009 09:31 GMT
Published Dec 14 2009 11:35 GMT

Technical Details
Removal instructions

Technical Details

The kido worm family creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)

Net-Worm.Win32.kido.ir is a windows startup script (AUTORUN.INF file). The size of the file is between 59,284 to 95,034 bytes. Not packed.


When an infected removable storage media is connected to an autorun enabled computer, this script starts the kido worm.

The content of the autorun script is obfuscated with a ransom set of characters.

Once unobfuscated, the autorun script looks like this:

[AUTorUN] AcTION = Open folder to view files icon =% 
syStEmrOot% \ sySTEM32 \ 
sHELL32.Dll, 4 OpEn = RunDll32.EXE. \ RECYCLER \ S-5-3-42-
879315005-3665 \ jwgkvsq. vmx, ahaezedrn sHEllExECUTe = 
S-5-3-42-2819952290-8240758988-879315005-3665 \ 
jwgkvsq.vmx, ahaezedrn useAuTopLAY = 1
We learn from this script that the original worm dll is located in the following folder on the removable media:
. \ RECYCLER \ S-5-3-42-2819952290-8240758988-879315005-
3665 \ jwgkvsq.vmx
The autorun script displays the following sentence "Open folder to view files" on an english Windows.

Removal instructions

If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:

  1. Delete the files shown below from all removable storage media:
  2. Download and install updates for the operating system:
  3. Disable Autorun on the computer.
  4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Bookmark and Share

Net-Worms propagate via computer networks. The distinguishing feature of this type of worm is that it does not require user action in order to spread.

This type of worm usually searches for critical vulnerabilities in software running on networked computers. In order to infect the computers on the network, the worm sends a specially crafted network packet (called an exploit) and as a result the worm code (or part of the worm code) penetrates the victim computer and activates. Sometimes the network packet only contains the part of the worm code which will download and run a file containing the main worm module. Some network worms use several exploits simultaneously to spread, thus increasing the speed at which they find victims.

Other versions


Net-Worm.Win32.Kido.ir (Kaspersky Lab) is also known as:

  • Net-Worm.Win32.Kido.iq (Kaspersky Lab)
  • Trojan.Win32.AutoRun.bo (Kaspersky Lab)
  • Mal/ConfInf-A (Sophos)
  • Worm.Autorun-2191 (ClamAV)
  • Worm:Win32/Conficker.B!inf (MS(OneCare))
  • Win32.HLLW.Autoruner.5601 (DrWeb)
  • Worm.AutoRun.VHG (BitDef7)
  • INF.Conficker.F (VirusBuster)
  • BV:AutoRun-Y [Wrm] (AVAST)
  • Net-Worm.Win32.Kido (Ikarus)
  • Worm/Downadup (AVG)
  • WORM/Conficker.Autorun.Gen (AVIRA)
  • W32.Downadup!autorun (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Worm:W32/Downaduprun.A [FSE] (FSecure)
  • TROJ_DOWNAD.INF (TrendMicro)
  • INF.Conficker.F (VirusBusterBeta)