Removing Win32 Kido.ih, kido.dv and kido.fx net worm
Technical details
This network worm spreads via local networks and removable storage media. The program itself is a Windows PE DLL file. The worm components vary in size from 155KB to 165KB. It is packed using UPX.
Installation
The worm copies its executable file with random names as shown below:
%System%\dir.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\tmp
%Temp%\.tmp
is a random string of symbols.
In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
The worm also modifies the following system registry key value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = " %System%\.dll"
Propagation
The worm then launches an HTTP server on a random TCP port; this is then used to download the worm's executable file to other computers.
The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability (MS08-067) in the Server service. The worm sends a specially crafted RPC request to remote machines. This causes a buffer overrun when the wcscpy_s function is called in netapi32.dll; this launches code that downloads the worm's executable file to the victim machine and launches it. The worm is then installed on the new victim machine.
In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the passwords shown below to brute force the account:
Spreading via removable storage media The worm copies its executable file to all removable media under the following name: :\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\.vmx, In addition to its executable file, the worm also places the file shown below in the root of every disk: :\autorun.inf This file will launch the worm's executable file each time Explorer is used to open the infected disk. Payload
When launched, the worm injects its code in the address space of one of the active “svchost.exe” system processes. This code delivers the worm's main malicious payload and:
disables the following services:
The worm may also download files from links of the type shown below:
http:///search?q=<%rnd2%>
rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date. The worm gets the current date from one of the sites shown below:
http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com
Downloaded files are saved to the Windows system directory under their original names.
Removal instructions:
If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:
Delete the following system registry key:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
Delete “%System%\.dll” from the system registry key value shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"
Reboot the computer.
Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
Delete copies of the worm:
%System%\dir.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\tmp
%Temp%\.tmp
is a random string of symbols.
Delete the files shown below from all removable storage media:
:\autorun.inf
:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\.vmx,
Download and install updates for the operating system:
Download System updates
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
OR, To remove this Malious Software , try MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now
Technical details
This network worm spreads via local networks and removable storage media. The program itself is a Windows PE DLL file. The worm components vary in size from 155KB to 165KB. It is packed using UPX.
Installation
The worm copies its executable file with random names as shown below:
%System%\
%Program Files%\Internet Explorer\
%Program Files%\Movie Maker\
%All Users Application Data%\
%Temp%\
%System%\
%Temp%\
In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
The worm also modifies the following system registry key value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "
Propagation
The worm then launches an HTTP server on a random TCP port; this is then used to download the worm's executable file to other computers.
The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability (MS08-067) in the Server service. The worm sends a specially crafted RPC request to remote machines. This causes a buffer overrun when the wcscpy_s function is called in netapi32.dll; this launches code that downloads the worm's executable file to the victim machine and launches it. The worm is then installed on the new victim machine.
In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the passwords shown below to brute force the account:
When launched, the worm injects its code in the address space of one of the active “svchost.exe” system processes. This code delivers the worm's main malicious payload and:
disables the following services:
http://
rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date. The worm gets the current date from one of the sites shown below:
http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com
Downloaded files are saved to the Windows system directory under their original names.
Removal instructions:
If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:
Delete the following system registry key:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
Delete “%System%\
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"
Reboot the computer.
Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
Delete copies of the worm:
%System%\
%Program Files%\Internet Explorer\
%Program Files%\Movie Maker\
%All Users Application Data%\
%Temp%\
%System%\
%Temp%\
Delete the files shown below from all removable storage media:
Download and install updates for the operating system:
Download System updates
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
OR, To remove this Malious Software , try MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now
No comments:
Post a Comment