NetWorm.Win32.Kido Network Worm Epidemic & Disinfection Utility
Since the beginning of the year, there has been a global epidemic of the Net-Worm.Win32.Kido network worm.
This animal is distributed through a local network and with the help of removable storage media.
When infecting a computer, the worm starts the HTTP server on a random TCP port, which is then used to download the worm's executable file to other computers.
The worm uses the Windows family of operating systems vulnerability, discovered at the end of October 2008 MS08-067 in the “Server” service. In order to take advantage of the vulnerability, the worm attempts to connect to a remote machine under an administrator account, sequentially going through the passwords laid down by the creator in the body of the virus.
After launch, access to the sites of antivirus companies is blocked on the victim computer. It also blocks users from accessing domain names containing the words “virus, rootkit, spyware” and others, in order to prevent owners of infected computers from undergoing treatment on user assistance sites.
There are dozens of modifications of this worm.
Removal recommendations are issued by all leading AB manufacturers. LK has released a special utility - KidoKiller to combat the Net-Worm.Win32.Kido network worm, the utility contains a generic-detection of all known modifications of the worm.
The treatment algorithm with this utility is described in this article www.kaspersky.ru/support/wks6mp3/error?qid=208636215
Based on virusinfo.info , av-school.ru
Tackle - treatment algorithm, copied from the LC site, for those who do not have access there as a result of the worm's actions.
First, the websites of AV companies are available by IP address. Website 195.27.181.35
Secondly, you can visit the resource Virusinfo.info (216.246.90.119) - our helpers will help you to cope with the infection.
')
The instruction itself.
Removal methods
The network worm is removed using the special utility kidokiller.exe.
Attention! In order to protect against infection on all workstations and servers on the network, it is necessary to carry out the following set of measures:
o Install the patch covering the MS08-067 vulnerability.
o Make sure that the password of the local administrator account is resistant to cracking - the password must contain at least six characters, using different registers and / or numbers.
o Disable autorun executables from removable media.
You can remove the network worm using the kidokiller.exe utility locally on an infected computer or centrally if Kaspersky Administration Kit is deployed on the network.
Local deletion:
1. Download the KidoKiller_v2.zip archive ( another site 1 , another site 2 ) and unpack it into a separate folder on the infected machine.
2. Run the KidoKiller.exe file.
Comment
After the scan is completed, the computer may have an active command prompt window waiting for any key to be closed. To automatically close the window, we recommend running the KidoKiller.exe utility with the –y key.
3. Wait for the scan to complete.
4. Scan the entire computer using Kaspersky Anti-Virus.
This animal is distributed through a local network and with the help of removable storage media.
When infecting a computer, the worm starts the HTTP server on a random TCP port, which is then used to download the worm's executable file to other computers.
The worm uses the Windows family of operating systems vulnerability, discovered at the end of October 2008 MS08-067 in the “Server” service. In order to take advantage of the vulnerability, the worm attempts to connect to a remote machine under an administrator account, sequentially going through the passwords laid down by the creator in the body of the virus.
After launch, access to the sites of antivirus companies is blocked on the victim computer. It also blocks users from accessing domain names containing the words “virus, rootkit, spyware” and others, in order to prevent owners of infected computers from undergoing treatment on user assistance sites.
There are dozens of modifications of this worm.
Removal recommendations are issued by all leading AB manufacturers. LK has released a special utility - KidoKiller to combat the Net-Worm.Win32.Kido network worm, the utility contains a generic-detection of all known modifications of the worm.
The treatment algorithm with this utility is described in this article www.kaspersky.ru/support/wks6mp3/error?qid=208636215
Based on virusinfo.info , av-school.ru
Tackle - treatment algorithm, copied from the LC site, for those who do not have access there as a result of the worm's actions.
First, the websites of AV companies are available by IP address. Website 195.27.181.35
Secondly, you can visit the resource Virusinfo.info (216.246.90.119) - our helpers will help you to cope with the infection.
')
The instruction itself.
Removal methods
The network worm is removed using the special utility kidokiller.exe.
Attention! In order to protect against infection on all workstations and servers on the network, it is necessary to carry out the following set of measures:
o Install the patch covering the MS08-067 vulnerability.
o Make sure that the password of the local administrator account is resistant to cracking - the password must contain at least six characters, using different registers and / or numbers.
o Disable autorun executables from removable media.
You can remove the network worm using the kidokiller.exe utility locally on an infected computer or centrally if Kaspersky Administration Kit is deployed on the network.
Local deletion:
1. Download the KidoKiller_v2.zip archive ( another site 1 , another site 2 ) and unpack it into a separate folder on the infected machine.
2. Run the KidoKiller.exe file.
Comment
After the scan is completed, the computer may have an active command prompt window waiting for any key to be closed. To automatically close the window, we recommend running the KidoKiller.exe utility with the –y key.
3. Wait for the scan to complete.
4. Scan the entire computer using Kaspersky Anti-Virus.
Source: https://habr.com/ru/post/50215/
All Articles