Net-Worm.Win32.Kido.ih Removal
This worm spreads via local area networks and removable storage media. When Net-Worm.Win32.Kido.ih copies itself to remote computers, the worm creates a temporary file with a random extension. The worm itself is a Windows DLL Library file. The worm components vary in size from 155KB to 165KB and packed with UPX.
Once the Net-Worm.Win32.Kido.ih worm infected, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created :
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
And then modifies the following windows registry key value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "<original value> %System%\<rnd>.dll".
The Net-Worm.Win32.Kido.ih worm then launches an HTTP server on a random port, then used to download the worm's executable file to other computers in the same network as the victim machine and attacks via a buffer overrun vulnerability (MS08-067) in the Server service.
The Net-Worm.Win32.Kido.ih worm copies its executable file to removable media under the following name:
<Drive>:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\<rnd>.vmx,
In addition to its executable file, the worm also creates file shown below in the root of every disk:
<Drive>:\autorun.inf
This file will launch the worm's executable file each time Explorer is used to open the infected removable drive.
Post a Comment