Removing Net-Worm.Win32.Kido (aka Conficker, Downadup)


INTRODUCTION

Kido (aka Conficker or Downadup) was first detected in November 2008 as a worm which spreads across local networks and removable storage media. The latest generation of Kido is unable to spread by itself, but like earlier variants, it can update itself by downloading additional code.

Kido has created a powerful botnet of infected machines. It was programmed to update itself on 1st April 2009, and the latest generation of this program is designed to generate 50,000 domain names according to a random algorithm, and then choose 500 of these domains which it can potentially contact to update itself. Kido uses very sophisticated technology. It downloads updates from constantly changing online resources; uses P2P networks as an additional source of downloads; uses strong encryption to prevent interference with its command and control center; and prevents antivirus products from receiving updates.


SYMPTOMS

1) Network traffic volume increases if there are infected PCs in the network, because network attack starts from these PCs.

2) Anti-Virus product with enabled Intrusion Detection System informs of the attack Intrusion.Win.NETAPI.buffer-overflow.exploit

3) It is impossible to access websites of Microsoft and the majority of antivirus companies, e.g. avira, avast, esafe, drweb, eset, nod32, f-secure, panda, kaspersky, etc.

4) An attempt to activate Anti-Virus or Internet Security with an activation code at a computer infected with the Net-Worm.Win32.Kido network worm may result in abnormal termination and output one of the following errors:

* Activation procedure completed with system error 2.
* Activation error: Server name cannot be resolved.
* Activation error. Unable to connect to server.


TROUBLESHOOTING

1) Block access to TCP ports 445 and 139 in network firewall.
You need to block these ports only during the disinfection process. As soon as you have the entire red disinfected, feel free to unblock the ports.

2) Install the Microsoft patch covering the vulnerabilities MS08-067, MS08-068, MS09-001
[Support Center » Downloads » Windows Server 2003 R2 2003 Critical Update, download corresponding patch and install it].

3) Download and extract the KK.zip
[Support Center » Downloads » Kaspersky Conficker Removal]

4) Disable autorun of executable files from removable drives by launching the file kk.exe with switch -a.
For Windows XP/Server OS: Start - Run - type kk.exe -a - click OK
For Windows Vista OS: Start - All Programs - Accessories - Run - type kk.exe -a - click OK

5) Make sure to have a strong local administrator's password that cannot be easily hacked - the password should contain 6 letters minimum; use a mixture of uppercase and lowercase, numbers and non-alphanumeric characters such as punctuation marks.


*Switches to run the file kk.exe from the command prompt:

-p = Scan a defined folder.
-f = Scan hard disks.
-n = Scan network drives.
-r = Scan flash drives, scan removable hard USB and FireWire disks.
-y = End program without pressing any key.
-s = Silent mode (without a black window)
-l = Write info into a log.
-v = Extended log maintenance (the switch -v works only in combination with the -l switch).
-z = Restore the following services:
* Background Intelligent Transfer Service (BITS),
* Windows Automatic Update Service (wuauserv),
* Error Reporting Service (ERSvc/WerSvc),
* Windows Defender (WinDefend),
* Windows Security Center Service (wscsvc).
-õ = Restore display of hidden system files.
-a = Disable autorun from all drives.
-m = Monitoring mode to protect the system from getting infected.
-t = Clear the Registry of services that remain after removing the network worm using our products.
-j = Restore the registry branch SafeBoot (if the registry branch is deleted, computer cannot boot in Safe Mode).
-help = Show additional information about the utility.

(Source: Kaspersky Lab 2010, www.kaspersky.com)

  Print