Thursday, December 10, 2009

Net-Worm.Win32.Kido.ih Removal

computer_worm This worm spreads via local area networks and removable storage media. When Net-Worm.Win32.Kido.ih copies itself to remote computers, the worm creates a temporary file with a random extension. The worm itself is a Windows DLL Library file. The worm components vary in size from 155KB to 165KB and packed with UPX.

Once the Net-Worm.Win32.Kido.ih worm infected, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created :

[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]


And then modifies the following windows registry key value:



[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "<original value> %System%\<rnd>.dll".


The Net-Worm.Win32.Kido.ih worm then launches an HTTP server on a random port, then used to download the worm's executable file to other computers in the same network as the victim machine and attacks via a buffer overrun vulnerability (MS08-067) in the Server service.



The Net-Worm.Win32.Kido.ih worm copies its executable file to removable media under the following name:



<Drive>:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\<rnd>.vmx,


In addition to its executable file, the worm also creates file shown below in the root of every disk:



<Drive>:\autorun.inf


This file will launch the worm's executable file each time Explorer is used to open the infected removable drive.



Download Net-Worm.Win32.Kido.ih Removal Tools here

0 comments:

Post a Comment

  ©Template by Dicas Blogger.

TOPO