Net-Worm.Win32.Kido Network Worm Epidemic & Cure Utility

    Since the beginning of the year, a global epidemic of the network worm Net-Worm.Win32.Kido has been observed.
    This animal spreads through the local network and using removable storage media.
    When a computer is infected, the worm starts the HTTP server on a random TCP port, which is then used to download the worm's executable file to other computers.
    The worm uses an vulnerability of the Windows family of operating systems discovered in late October 2008, MS08-067, in the Server service. In order to exploit the vulnerability, the worm tries to connect to the remote machine under the administrator account, sequentially sorting the passwords set by the creator in the virus body.
    After starting, access to the sites of anti-virus companies is blocked on the victim computer. Users are also blocked from access to domain names containing the words “virus, rootkit, spyware” and others, in order to prevent owners of infected computers from receiving treatment on user assistance sites.
    Dozens of modifications of this worm are known.
    Removal recommendations issued by all leading AV manufacturers. LK has released a special utility, KidoKiller, for fighting the Net-Worm.Win32.Kido network worm; the utility contains generic detection of all known worm modifications.
    The treatment algorithm using this utility is described in this article www.kaspersky.ru/support/wks6mp3/error?qid=208636215

    Based on materials from virusinfo.info , av-school.ru

    A tackle is a treatment algorithm copied from the LC site for those who do not have access there as a result of the worm’s actions.

    Firstly, the websites of AV companies are accessible by IP address. Website 195.27.181.35
    Secondly, you can visit the resource Virusinfo.info (216.246.90.119) - our helpers will help you cope with the infection.

    The instruction itself.

    Methods of removal The

    removal of a network worm is performed using the special kidokiller.exe utility.

    Attention! In order to protect against infection at all workstations and network servers, the following set of measures should be carried out:

    o Install a patch that covers the MS08-067 vulnerability.

    o Make sure that the password for the local administrator account is resistant to cracking - the password must contain at least six characters, using different registers and / or numbers.

    o Disable autorun of executable files from removable media.

    Kidokiller.exe utility can remove a network worm locally on an infected computer or centrally if the Kaspersky Administration Kit complex is deployed on the network.

    Local removal:

    1. Download the KidoKiller_v2.zip archive ( another site 1 , another site 2 ) and unzip it into a separate folder on the infected machine.

    2. Run the KidoKiller.exe file.

    Comment

    At the end of the scan, the computer may have an active command prompt window waiting for any key to be pressed to close. To automatically close the window, we recommend that you run the KidoKiller.exe utility with the -y switch.

    3. Wait for the scan to complete.

    4. Scan the entire computer using Kaspersky Anti-Virus.

    Also popular now: