Net-Worm.Win32.Kido.ih Removal

This worm spreads via local area networks and removable storage media. When Net-Worm.Win32.Kido.ih copies itself to remote computers, the worm creates a temporary file with a random extension. The worm itself is a Windows DLL Library file. The worm components vary in size from 155KB to 165KB and packed with UPX.

Once the Net-Worm.Win32.Kido.ih worm infected, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created :

[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

And then modifies the following windows registry key value:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "<original value> %System%\<rnd>.dll".

The Net-Worm.Win32.Kido.ih worm then launches an HTTP server on a random port, then used to download the worm's executable file to other computers in the same network as the victim machine and attacks via a buffer overrun vulnerability (MS08-067) in the Server service.

The Net-Worm.Win32.Kido.ih worm copies its executable file to removable media under the following name:

<Drive>:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\<rnd>.vmx,

In addition to its executable file, the worm also creates file shown below in the root of every disk:

<Drive>:\autorun.inf

This file will launch the worm's executable file each time Explorer is used to open the infected removable drive.

Download Net-Worm.Win32.Kido.ih Removal Tools here