English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-Downloader.Win32.Kido.a

Detected Mar 07 2009 15:44 GMT
Released Mar 07 2009 20:02 GMT
Published Mar 18 2009 12:36 GMT

Technical Details
Technical Details
Payload
Payload
Removal instructions
Removal instructions

Technical Details

This malicious program is a Windows DLL file.

Installation

The malware copies its executable file with random names to the following directories:

%Program Files%\Internet Explorer\<rnd>.dll
%Program Files%\Windows Media Player\<rnd>.dll
%Program Files%\WindowsNT\<rnd>.dll
%Program Files%\Movie Maker\<rnd>.dll
%SpecialFolder%\<rnd>.dll
%System%\<rnd>dir.dll
%Temp%\<rnd>.dll

, <rnd> is a random string of symbols.

In order to ensure that the malware is launched automatically when the system is rebooted, the program registers its executable file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd>" = "rundll32.exe <path to Trojan file>"

<rnd> is a random string of symbols.

The malware also deletes the registry key show below in order to make it impossible to boot the system in safe mode:

[HKLM\System\CurrentControlSet\Control\SafeBoot]

It deletes the registry key shown below in order to disable Windows Security Center notifications:

[HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\
ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}]

It deletes the autorun parameter for Windows Defender:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender]

It also modifies the following system registry key value by adding a link to the Trojan service:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "<original value><name of Trojan service>"

In order to ensure that the Trojan is launched next time the system is started, it creates a system service which launches the Trojan dll each time Windows is booted, creating the registry key shown below:

[HKLM\SYSTEM\CurrentControlSet\Services\<%;rnd%>]
"Description" = "<description of a system service>"
"DisplayName" = "Manager Security"
"ImagePath" = REG_EXPAND_SZ, "%SystemRoot%\system32\svchost.exe -k netsvcs"
"Start" = "dword:0x00000002"
[HKLM\SYSTEM\CurrentControlSet\Services\<%;rnd%>\Parameters]
"ServiceDll" = "%System%\<%rnd>%.dll"

<rnd> is a random string of symbols.

The name of the service which is displayed is made up of words from the list below:

Policy
Discovery
Storage
Power
Logon
Machine
Browser
Management
Framework
Component
Trusted
Backup
Notify
Audit
Control
Hardware
Windows
Update
Universal
Task
Support
Shell
Security
Network
Monitor
Microsoft
Manager
Installer
Image
Helper
Driver
Config
Center
Boot

The name of the service is made up of a combination of words from the list below:

Time
System
svc
Svc
srv
Srv
Service
Server
serv
prov
mon
mgmt
man
logon
auto
agent
access

It also includes a word from the list shown below:

xml
wuau
wsc
Wmi
Wmdm
win
W32
Trk
Tapi
Sec
Remote
Ras
Ntms
Net
Lanman
Ias
help
Event
Audio
App

The malware flags its presence in the system by creating a unique identifier as shown below:

Global\%rnd%-%rnd%
Global\%rnd%-7

Technical Details

This Trojan is designed to install and launch other programs on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. It is 78848 bytes in size. It is written in C++.


Payload

The malware checks the current date; if this is later than 1st April 2009, the malware will deliver its payload.

The malware checks the system for the following directories:

Adobe
Agent
App
Assemblies
assembly
Boot
Build
Calendar
Collaboration
Common
Components
Cursors
Debug
Defender
Definitions
Digital
Distribution
Documents
Downloaded
en
Explorer
Files
Fonts
Gallery
Games
Globalization
Google
Help
IME
inf
Installer
Intel
Inter
Internet
Java
Journal
Kernel
L2S
Live
Logs
Mail
Maker
Media
Microsoft
Mobile
Modem
Movie
MS
msdownld
NET
New
Office
Offline
Options
Packages
Pages
Patch
Performance
Photo
PLA
Player
Policy
Prefetch
Profiles
Program
Publish
Reference
Registered
registration
Reports
Resources
schemas
Security
Service
Setup
Shell
Software
Speech
System
Tasks
Temp
tmp
tracing
twain
US
Video
Visual
Web
winsxs
Works
Zx

If these directories are not found, the Trojan will cease running.

When launched, depending on the specific modification of the malware, it disables some or all of the services listed below:

Windows Automatic Update Service (wuauserv)
Background Intelligent Transfer Service (BITS)
Windows Security Center Service (wscsvc)
Windows Defender Service (WinDefend, WinDefender)
Windows Error Reporting Service (ERSvc)
Windows Error Reporting Service (WerSvc)

In order to do this, it modifies the original Start value for each service to that shown below:

"Start" ="dword:0x00000004"

The Trojan injects its code in the address space of the system processes shown below:

svchost.exe
explorer.exe (if injection into svchost.exe is not successful)
services.exe (for Windows 2000)

This code delivers the Trojan’s main malicious payload.

The Trojan does not use a driver to gain access to the network protocol as the Kido worm did.
The Trojan hooks the following API calls (from dnsrslvr.dll) in order to block access to listed user domains:

DNS_Query_A
DNS_Query_UTF8
DNS_Query_W
Query_Main
sendto
NetpwPathCanonicalize
InternetGetConnectedState

It blocks access to sites and addresses which contain any of the strings listed below:

vet.
sans.
nai.
msft.
msdn.
llnwd.
llnw.
kav.
gmer.
cert.
ca.
bit9.
avp.
avg.
windowsupdate
wilderssecurity
virus
virscan
trojan
trendmicro
threatexpert
threat
technet
symantec
sunbelt
spyware
spamhaus
sophos
secureworks
securecomputing
safety.live
rootkit
rising
removal
quickheal
ptsecurity
prevx
pctools
panda
onecare
norton
norman
nod32
networkassociates
mtc.sri
msmvps
msftncsi
mirage
microsoft
mcafee
malware
kaspersky
k7computing
jotti
ikarus
hauri
hacksoft
hackerwatch
grisoft
gdata
freeav
free-av
fortinet
f-secure
f-prot
ewido
etrust
eset
esafe
emsisoft
dslreports
drweb
Defender
cyber-ta
cpsecure
conficker
computerassociates
comodo
clamav
centralcommand
ccollomb
castlecops
bothunter
avira
avgate
avast
arcabit
antivir
anti-
ahnlab
agnitum

It terminates all processes that contain one of the strings listed below in their names:

wireshark
unlocker
tcpview
sysclean
scct_
regmon
procmon
procexp
ms08-06
mrtstub
mrt.
mbsa.
klwk
kido
kb958
kb890
hotfix
gmer
filemon
downad
confick
avenger
autoruns

By doing this, the Trojan prevents access to the majority of sites which offer antivirus database updates or dedicated utilities to remove the malicious program.

The Trojan checks for a connection to the sites shown below:

netlog.com
yandex.ru
zedo.com
doubleclick.com
2ch.net
allegro.pl
hi5.com
seznam.cz
ebay.com
odnoklassniki.ru
myspace.com
go.com
yahoo.com
fastclick.com
sourceforge.net
comcast.net
wikimedia.org
miniclip.com
mininova.org
facebook.com
adultadworld.com
4shared.com
skyrock.com
biglobe.ne.jp
download.com
youporn.com
adultfriendfinder.com
nicovideo.jp
rambler.ru
foxnews.com
terra.com.br
zshare.net
bigpoint.com
yahoo.co.jp
dell.com
ziddu.com
livejournal.com
mixi.jp
rediff.com
youtube.com
mywebsearch.com
tube8.com
xhamster.com
naver.com
tribalfusion.com
narod.ru
hyves.nl
xiaonei.com
clicksor.com
adsrevenue.net
mail.ru
files.wordpress.com
tinypic.com
ebay.it
digg.com
linkbucks.com
imdb.com
tagged.com
nba.com
msn.com
blogfa.com
recvfrom
livedoor.com
linkedin.com
kaixin001.com
reference.com
megaporn.com
torrentz.com
orange.fr
geocities.com
pcpop.com
paypopup.com
fc2.com
partypoker.com
ask.com
googlesyndication.com
badongo.com
goo.ne.jp
aweber.com
answers.com
espn.go.com
seesaa.net
metroflog.com
aim.com
megaclick.com
metacafe.com
netflix.com
sonico.com
photobucket.com
awempire.com
depositfiles.com
imageshack.us
gougou.com
pornhub.com
mediafire.com
typepad.com
imeem.com
perfspot.com
56.com
soso.com
ameba.jp
friendster.com
google.com
tuenti.com
imagevenue.com
taringa.net
badoo.com
disney.go.com
livejasmin.com
multiply.com
ucoz.ru
flickr.com
mapquest.com
ameblo.jp
pogo.com
apple.com
cricinfo.com
ebay.co.uk
studiverzeichnis.com
vkontakte.ru
wordpress.com
rapidshare.com
wikimedia.org
icq.com
xnxx.com
veoh.com
ning.com
pconline.com.cn
tudou.com
sakura.ne.jp
fotolog.net
bbc.co.uk
conduit.com
vnexpress.net
ebay.de
craigslist.org
live.com
xvideos.com
ioctlsocket
tianya.cn
alice.it
bebo.com
verizon.net
megaupload.com
kooora.com
thepiratebay.org

Main functionality

The Trojan downloads files from URLs of the type shown below:

http://<URL>/search?q=<%rnd2%>

rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date.

The algorithm used to generate domain names uses Microsoft Base Cryptographic Provider v1.0 in order to generate pseudorandom values.

Domains are chosen from the list below:

vn
vc
us
tw
to
tn
tl
tj
tc
su
sk
sh
sg
sc
ru
ro
ps
pl
pk
pe 
no 
nl 
nf 
my 
mw 
mu 
ms 
mn 
me
md 
ly 
lv 
lu 
li 
lc 
la 
kz 
kn 
is
ir
in 
im 
ie 
hu 
ht 
hn 
hk 
gy
gs 
gr
gd
fr
fm 
es 
ec 
dm 
dk 
dj 
cz 
cx
cn
cl
ch
cd
ca
bz
bo
be
at
as
am
ag
ae
ac
com.ve
com.uy
com.ua
com.tw
com.tt
com.tr
com.sv
com.py
com.pt
com.pr
com.pe
com.pa
com.ni
com.ng
com.mx
com.mt
com.lc
com.ki
com.jm
com.hn
com.gt
com.gl
com.gh
com.fj
com.do
com.co
com.bs
com.br
com.bo
com.ar
com.ai
com.ag
co.za
co.vi
co.uk
co.ug
co.nz
co.kr
co.ke
co.il
co.id
co.cr

The new modification of the Trojan generates 50000 domain names per 24 hours, skipping the address groups listed below:

127.x.x.x
169.254.x.x
x.198.x.x
x.255.255.253
224-239.x.x.x
240-255.x.x.x

The Trojan chooses 500 domain names at random from the list generated and attempts to connect to them in order to download files. If the connection attempt is not successful, after a short interval another 500 names will be chosen.

The body of the Trojan also contains a blacklist of 399 IP addresses which belong to security companies.

The Trojan gets the current date from one of the sites shown below:

http://www.w3.org
http://www.ask.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com
http://www.rapidshare.com
http://www.imageshack.us
http://www.facebook.com

If a connection cannot be established to these sites, the current system date will be used.

Downloaded files are saved as follows:

%Temp%\<%computer _id%>\<%rnd%>.tmp

<rnd> is a random string of symbols.


Payload

Once launched, the Trojan checks the system date. If the date is later than 09.03.2009, the Trojan ceases running and deletes itself. It also checks to see if Net-Worm.Win32.Kido is present on the infected machine.

Once it has completed these checks, it extracts a malicious program from its body which Kaspersky Anti-Virus detects as Trojan-Downloader.Win32.Kido.a and places this file in the current user's Windows temporary directory:

%Temp%\<:rnd>.tmp, with rnd standing for a random string of symbols.

This file is 81408 bytes in size. This file will then be launched for execution.

The Trojan also extracts a batch file from its body and places this file in the current user’s Windows temporary directory:

%Temp%\<rnd>.cmd, with <rnd> being a random string of symbols

This file is 53 bytes in size and used by the Trojan to delete itself.

Once extracted, it is launched for execution and deletes the original Trojan file.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the following system registry key:
    [HKLM\SYSTEM\CurrentControlSet\Services\<%;rnd%>]
  2. Delete “%System%\<rnd>.dll” from the system registry key value shown below:
    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs"
  3. Restore the following registry keys:
    [HKLM\ SYSTEM\CurrentControlSet\Control\SafeBoot]
    [HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\
    {FD6905CE-952F-41F1-9A6F-135D9C6622CC}]
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender]
  4. Reboot the computer.
  5. Delete the following files:
    %Program Files%\Internet Explorer\<rnd>.dll
    %Program Files%\Windows Media Player\<rnd>.dll
    %Program Files%\WindowsNT\<rnd>.dll
    %Program Files%\Movie Maker\<rnd>.dll
    %SpecialFolder%\<rnd>.dll
    %System%\<rnd>dir.dll
    %Temp%\<rnd>.dll
  6. Restore the launch of the following services:
    wscsvc - Security Center
    wuauserv - Automatic updates
    BITS - Background Intelligent Transfer Service
    WinDefend - Windows Defender
    ERSvc - Error Reporting Service
    WerSvc - Windows Error Reporting Service
  7. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine) if it has not deleted itself.
  2. Delete all files created by the Trojan:
    %Temp%\<rnd>.tmp
    %Temp%\<rnd>,cmd
  3. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Bookmark and Share
Share
Trojan-Downloader

Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.

Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).

This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.


Aliases

Trojan-Downloader.Win32.Kido.a (Kaspersky Lab) is also known as:

  • Trojan-Dropper.Win32.Kido.a (Kaspersky Lab)
  • Net-Worm.Win32.Kido.jc (Kaspersky Lab)
  • Net-Worm.Win32.Kido.iw (Kaspersky Lab)
  • Backdoor.Win32.Agent.yyg (Kaspersky Lab)
  • Trojan: W32/Conficker.worm.gen.c (McAfee)
  • Mal/Conficker-B (Sophos)
  • W32/Conficker.B.worm (Panda)
  • W32/Conficker.D.gen!Eldorado (FPROT)
  • Worm:Win32/Conficker.D (MS(OneCare))
  • Win32.Worm.Downadup.Gen (BitDef7)
  • Trojan.DL.Kido!o4xewmy5Jhc (VirusBuster)
  • Win32:CoPack [Cryp] (AVAST)
  • Trojan-Downloader.Win32.Kido (Ikarus)
  • Worm/Downadup (AVG)
  • W32/Conficker.AFK (Norman)
  • Trojan-Downloader.Win32.Kido.a [AVP] (FSecure)
  • WORM_DOWNAD.AD (TrendMicro)
  • Trojan.DL.Kido!o4xewmy5Jhc (VirusBusterBeta)