Internet threat level: 1
Home→Descriptions→Net-Worm.Win32.Kido.ir
Net-Worm.Win32.Kido.ir
| Detected | Nov 02 2009 04:35 GMT |
| Released | Nov 02 2009 09:31 GMT |
| Published | Dec 14 2009 11:35 GMT |
Payload
Removal instructions
Technical Details
The kido worm family creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)
Net-Worm.Win32.kido.ir is a windows startup script (AUTORUN.INF file). The size of the file is between 59,284 to 95,034 bytes. Not packed.
Payload
When an infected removable storage media is connected to an autorun enabled computer, this script starts the kido worm.
The content of the autorun script is obfuscated with a ransom set of characters.
Once unobfuscated, the autorun script looks like this:
[AUTorUN] AcTION = Open folder to view files icon =% syStEmrOot% \ sySTEM32 \ sHELL32.Dll, 4 OpEn = RunDll32.EXE. \ RECYCLER \ S-5-3-42- 2819952290-8240758988- 879315005-3665 \ jwgkvsq. vmx, ahaezedrn sHEllExECUTe = RUNdLl32.ExE. \ RECYCLER \ S-5-3-42-2819952290-8240758988-879315005-3665 \ jwgkvsq.vmx, ahaezedrn useAuTopLAY = 1We learn from this script that the original worm dll is located in the following folder on the removable media:
. \ RECYCLER \ S-5-3-42-2819952290-8240758988-879315005- 3665 \ jwgkvsq.vmxThe autorun script displays the following sentence "Open folder to view files" on an english Windows.
Removal instructions
If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:
- Delete the files shown below from all removable storage media:
<X>:\autorun.inf <X>:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\<rnd>.vmx,
- Download and install updates for the operating system:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx - Disable Autorun on the computer.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Net-Worms propagate via computer networks. The distinguishing feature of this type of worm is that it does not require user action in order to spread.
This type of worm usually searches for critical vulnerabilities in software running on networked computers. In order to infect the computers on the network, the worm sends a specially crafted network packet (called an exploit) and as a result the worm code (or part of the worm code) penetrates the victim computer and activates. Sometimes the network packet only contains the part of the worm code which will download and run a file containing the main worm module. Some network worms use several exploits simultaneously to spread, thus increasing the speed at which they find victims.
Net-Worm.
- Net-Worm.
Win32. Kido. iq (Kaspersky Lab) - Trojan.
Win32. AutoRun. bo (Kaspersky Lab) - Mal/ConfInf-A (Sophos)
- Worm.
Autorun-2191 (ClamAV) - Worm:
Win32/Conficker. B!inf (MS(OneCare)) - Win32.
HLLW. Autoruner. 5601 (DrWeb) - Worm.
AutoRun. VHG (BitDef7) - INF.
Conficker. F (VirusBuster) - BV:
AutoRun-Y [Wrm] (AVAST) - Net-Worm.
Win32. Kido (Ikarus) - Worm/Downadup (AVG)
- WORM/Conficker.
Autorun. Gen (AVIRA) - W32.
Downadup!autorun (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- Worm:
W32/Downaduprun. A [FSE] (FSecure) - TROJ_DOWNAD.
INF (TrendMicro) - INF.
Conficker. F (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.