How to Remove KIDO
Content
products→For File Servers→Kaspersky Endpoint Security 8 for Windows (for file servers)
Choose your language
Product Select Knowledge Base
Installation / Uninstallation License / Activation Update Bases Settings / How to Tools / Utilities
Remote Administration Reports / Notifications Troubleshooting
Downloads & Info System Requirements Product Certificates Online Course Product Forum
Request to Support How to fight viruses
Kaspersky Endpoint Security 8 for Windows
(for file server)
How to clean a corporate network from network worm NetWorm.Win32.Kido (aka Conficker, Downadup)?
Back to "Troubleshooting" section
ID: 4673
Complexity
2012 Dec 13
Applies to:
Kaspersky Endpoint Security 8 for Windows
Kaspersky Anti-Virus for Windows Workstations, all versions
Kaspersky Anti-Virus for Windows Servers, all versions
Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition
Kaspersky Anti-Virus 8.0 for Storage
A brief description of the Net-Worm.Win32.Kido family
The malware creates files autorun.inf and RECYCLED\
{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network
shares)
The malware stores itself in the system as a .dll file with a random name, for
example, c:\windows\system32\zorizr.dll
The malware registers itself in system services under a random name, for
example, knqdgsm
It tries to attack networked hosts via the 445 or 139 TCP port, using MS Windows
vulnerability MS08-067
The malware tries to access the following websites in order to learn the external IP
address of the infected host (we recommend configuring a network firewall rule to
monitor connection attempts to these websites):
o
http://www.getmyip.org
o
http://getmyip.co.uk
o
http://www.whatsmyipaddress.com
o
http://www.whatismyip.org
o
http://checkip.dyndns.org
Symptoms of infection
Network traffic volume increases if there are infected hosts in the network, because a
network attack starts from these hosts
The Anti-Virus product with enabled Firewall gives notification of the
attack Intrusion.Win.NETAPI.buffer-overflow.exploit
IMPORTANT
If you keep receiving attack alerts, it means that the remote host (alert messages
report its address) is infected. If possible, it must be disinfected in order to stop the
attacks.
It is impossible to access websites of the major antivirus companies, e.g. avira, avast,
esafe, drweb, eset, nod32, f-secure, panda, kaspersky, etc
Kaspersky Anti-Virus keeps detecting and deleting files with random names and
extensions (oufgt.quf, e.g.) in the folder system32. A full scan does not detect anything
on the host
IMPORTANT
Repeated detection of such files does not prove that a host is infected. It means that
there are infected networked hosts in the domain having administrative permissions
(access to $ADMIN on attacked hosts allowing the copying files into the system32)
folder.
Kaspersky Anti-Virus blocks infection attempts at the moment of copying the body of
the malicious program.
It is necessary to identify and disinfect infected hosts to stop the attacks. Domain
controllers should be checked first.
Protection measures
MS Windows 95/MS Windows 98/MS Windows ME operating systems cannot be infected with
this network worm.
We recommend that you do the following on all hosts to prevent workstations and file servers
from becoming infected with the worm:
1. Install Microsoft patches MS08-067, MS08-068, MS09-001 (on these pages you will
have to select which operating system is installed on the infected PC, download the
corresponding patch and install it).
2. Make sure you have a hack-proof local administrator password (it should contain a
minimum of 6 characters and be a combination of upper and lower case, numbers and
non-alphanumeric characters such as punctuation symbols.
3. Disable autorun of executable files on removable drives:
1. download the KidoKiller(kk.zip) utility and extract it, for example, to disk C:
2. run the file kk.exe with switch -a from the command line prompt
4. Block access to TCP ports 445 and 139 in the network firewall. You only need to block
these ports during the disinfection period. As soon as the disinfection process has been
completed, the ports may be unblocked.
Local disinfection
1. Download the kk.zip archive and extract its contents into a folder on an infected host.
2. Disable the File Anti-Virus component while using the utility.
3. Run the file kk.exe.
When run without any switches, kk.exe stops active infection (deletes threads, unhooks
functions), scans the most infectable areas, memory and flash drives and cleans the
registry.
4. Wait for the scan to be complete.
If running the utility on a host with Agnitum Outpost Firewall installed, it is
necessary to reboot once the utility has completed its task.
5. Use Kaspersky Anti-Virus to scan the entire host.
Centralized disinfection (using Kaspersky Administration Kit)
1. Download the kk.zip archive and extract its contents into a folder
2. Create an installation package for the kk.exe application in the Administration console.
Select the Make installation package for specified executable file option in
the Application step.
Enter the -y switch in the Executable file command line (optional) field to close the
console window automatically once the utility's task is complete.
3. Use this package to create a group/global application deployment task for infected or
suspicious networked computers.
4. Disable the File Anti-Virus component in Kaspersky Anti-Virus on client PCs before
running the utility.
5. Start the task.
IMPORTANT
It is necessary to first disinfect the domain controllers and hosts with logged users
from the Administrators and Domain Amdins domain groups. Otherwise the
disinfection will be ineffective and all domained hosts would continue to be infected
every 15 minutes.
If you run the utility via Administration Kit, it will be started with SYSTEM account
permissions making all network drives and shared folders inaccessible to it.
If the administrator wants the utility to write logs to a network drive or shared resource,
the utility must be run using the 'run as' command.
6. Once the utility's task is complete, scan each networked computer with Kaspersky AntiVirus.
If running the utility on a host with Agnitum Outpost Firewall installed, you will need
to to reboot once the utility completes its task.
Switches to run the file kk.exe from the command prompt
Switch
-f
-n
-r
-y
-s
-l <file name>
-v
-z
-x
-a
-m
-j
-help
Description
Scan hard disks.
Scan network drives.
Scan flash drives, scan removable hard USB and FireWire disks.
End program without pressing any key.
Silent mode (without a black window)
Write info into a log.
Extended log maintenance (the switch -v only works in
combination with the -l switch).
Restore the following services:
Background Intelligent Transfer Service (BITS),
Windows Automatic Update Service (wuauserv),
Error Reporting Service (ERSvc/WerSvc),
Windows Defender (WinDefend),
Windows Security Center Service (wscsvc).
Restore display of hidden system files.
Disable autorun from all drives.
Monitoring mode to protect the system from getting infected.
Restore the registry branch SafeBoot (if the registry branch is
deleted, computer cannot boot in Safe Mode).
Show additional information about the utility.
For example, in order to scan a flash drive and write a detailed log into the file report.txt (which
will be created in the setup folder of the file kk.exe), use the following command:
KK.exe -r -y -l report.txt -v
in order to scan another disk or partition, D for example:
KK.exe -p D:\
Starting with version 3.4.6 the KidoKiller utility returns the following codes (%errorlevel%):
3 - Malicious threads were found and eliminated (worm was active).
2 - Malicious files were found and deleted (worm was inactive).
1 - Malicious scheduler jobs or function hooks were detected (this PC is not infected but the
network may contain infected PCs - the administrator should address this issue).
0 - Nothing found.
Choose your language
Product Select Knowledge Base
Installation / Uninstallation License / Activation Update Bases Settings / How to Tools / Utilities
Remote Administration Reports / Notifications Troubleshooting
Downloads & Info System Requirements Product Certificates Online Course Product Forum
Request to Support How to fight viruses
Kaspersky Endpoint Security 8 for Windows
(for file server)
How to clean a corporate network from network worm NetWorm.Win32.Kido (aka Conficker, Downadup)?
Back to "Troubleshooting" section
ID: 4673
Complexity
2012 Dec 13
Applies to:
Kaspersky Endpoint Security 8 for Windows
Kaspersky Anti-Virus for Windows Workstations, all versions
Kaspersky Anti-Virus for Windows Servers, all versions
Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition
Kaspersky Anti-Virus 8.0 for Storage
A brief description of the Net-Worm.Win32.Kido family
The malware creates files autorun.inf and RECYCLED\
{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network
shares)
The malware stores itself in the system as a .dll file with a random name, for
example, c:\windows\system32\zorizr.dll
The malware registers itself in system services under a random name, for
example, knqdgsm
It tries to attack networked hosts via the 445 or 139 TCP port, using MS Windows
vulnerability MS08-067
The malware tries to access the following websites in order to learn the external IP
address of the infected host (we recommend configuring a network firewall rule to
monitor connection attempts to these websites):
o
http://www.getmyip.org
o
http://getmyip.co.uk
o
http://www.whatsmyipaddress.com
o
http://www.whatismyip.org
o
http://checkip.dyndns.org
Symptoms of infection
Network traffic volume increases if there are infected hosts in the network, because a
network attack starts from these hosts
The Anti-Virus product with enabled Firewall gives notification of the
attack Intrusion.Win.NETAPI.buffer-overflow.exploit
IMPORTANT
If you keep receiving attack alerts, it means that the remote host (alert messages
report its address) is infected. If possible, it must be disinfected in order to stop the
attacks.
It is impossible to access websites of the major antivirus companies, e.g. avira, avast,
esafe, drweb, eset, nod32, f-secure, panda, kaspersky, etc
Kaspersky Anti-Virus keeps detecting and deleting files with random names and
extensions (oufgt.quf, e.g.) in the folder system32. A full scan does not detect anything
on the host
IMPORTANT
Repeated detection of such files does not prove that a host is infected. It means that
there are infected networked hosts in the domain having administrative permissions
(access to $ADMIN on attacked hosts allowing the copying files into the system32)
folder.
Kaspersky Anti-Virus blocks infection attempts at the moment of copying the body of
the malicious program.
It is necessary to identify and disinfect infected hosts to stop the attacks. Domain
controllers should be checked first.
Protection measures
MS Windows 95/MS Windows 98/MS Windows ME operating systems cannot be infected with
this network worm.
We recommend that you do the following on all hosts to prevent workstations and file servers
from becoming infected with the worm:
1. Install Microsoft patches MS08-067, MS08-068, MS09-001 (on these pages you will
have to select which operating system is installed on the infected PC, download the
corresponding patch and install it).
2. Make sure you have a hack-proof local administrator password (it should contain a
minimum of 6 characters and be a combination of upper and lower case, numbers and
non-alphanumeric characters such as punctuation symbols.
3. Disable autorun of executable files on removable drives:
1. download the KidoKiller(kk.zip) utility and extract it, for example, to disk C:
2. run the file kk.exe with switch -a from the command line prompt
4. Block access to TCP ports 445 and 139 in the network firewall. You only need to block
these ports during the disinfection period. As soon as the disinfection process has been
completed, the ports may be unblocked.
Local disinfection
1. Download the kk.zip archive and extract its contents into a folder on an infected host.
2. Disable the File Anti-Virus component while using the utility.
3. Run the file kk.exe.
When run without any switches, kk.exe stops active infection (deletes threads, unhooks
functions), scans the most infectable areas, memory and flash drives and cleans the
registry.
4. Wait for the scan to be complete.
If running the utility on a host with Agnitum Outpost Firewall installed, it is
necessary to reboot once the utility has completed its task.
5. Use Kaspersky Anti-Virus to scan the entire host.
Centralized disinfection (using Kaspersky Administration Kit)
1. Download the kk.zip archive and extract its contents into a folder
2. Create an installation package for the kk.exe application in the Administration console.
Select the Make installation package for specified executable file option in
the Application step.
Enter the -y switch in the Executable file command line (optional) field to close the
console window automatically once the utility's task is complete.
3. Use this package to create a group/global application deployment task for infected or
suspicious networked computers.
4. Disable the File Anti-Virus component in Kaspersky Anti-Virus on client PCs before
running the utility.
5. Start the task.
IMPORTANT
It is necessary to first disinfect the domain controllers and hosts with logged users
from the Administrators and Domain Amdins domain groups. Otherwise the
disinfection will be ineffective and all domained hosts would continue to be infected
every 15 minutes.
If you run the utility via Administration Kit, it will be started with SYSTEM account
permissions making all network drives and shared folders inaccessible to it.
If the administrator wants the utility to write logs to a network drive or shared resource,
the utility must be run using the 'run as' command.
6. Once the utility's task is complete, scan each networked computer with Kaspersky AntiVirus.
If running the utility on a host with Agnitum Outpost Firewall installed, you will need
to to reboot once the utility completes its task.
Switches to run the file kk.exe from the command prompt
Switch
-f
-n
-r
-y
-s
-l <file name>
-v
-z
-x
-a
-m
-j
-help
Description
Scan hard disks.
Scan network drives.
Scan flash drives, scan removable hard USB and FireWire disks.
End program without pressing any key.
Silent mode (without a black window)
Write info into a log.
Extended log maintenance (the switch -v only works in
combination with the -l switch).
Restore the following services:
Background Intelligent Transfer Service (BITS),
Windows Automatic Update Service (wuauserv),
Error Reporting Service (ERSvc/WerSvc),
Windows Defender (WinDefend),
Windows Security Center Service (wscsvc).
Restore display of hidden system files.
Disable autorun from all drives.
Monitoring mode to protect the system from getting infected.
Restore the registry branch SafeBoot (if the registry branch is
deleted, computer cannot boot in Safe Mode).
Show additional information about the utility.
For example, in order to scan a flash drive and write a detailed log into the file report.txt (which
will be created in the setup folder of the file kk.exe), use the following command:
KK.exe -r -y -l report.txt -v
in order to scan another disk or partition, D for example:
KK.exe -p D:\
Starting with version 3.4.6 the KidoKiller utility returns the following codes (%errorlevel%):
3 - Malicious threads were found and eliminated (worm was active).
2 - Malicious files were found and deleted (worm was inactive).
1 - Malicious scheduler jobs or function hooks were detected (this PC is not infected but the
network may contain infected PCs - the administrator should address this issue).
0 - Nothing found.
