—————————————————————————————————————–

This worm spreads via local networks and removable storage media. It is a PE DLL file. The components of the worm are between 155KB and 165KB in size. It is packed using UPX.

Installation

The worm copies its executable file to the Windows system directory as follows:

%System%\<rnd>.dll <rnd> is a string of random symbols

—————————————————————————————————————–

I hate to say this Kaspersky, but the infected file has varying permutations for the file extension. It is not just .DLL but it can be pretty much anything, from .txt to .png or .jpg. Basically, you cannot use the .DLL extension as the only method for detection and if this is the case, it is not going to find it. Perhaps the first variant “a” was originally a .DLL but not anymore and I believe the “b” version is much more widespread now. So how about taking a leaf out of Trend Micro’s book and look for behaviourial patterns instead of just by filename…

Kaspersky description for Net-Worm.Win32.Kido

Kaspersky method of removal. It may work on some versions of the virus

facebook   twitter   email  

It acts as a botnet of sorts and once infected the machine turns into a HTTP server to spread it further. Another method of transportation is via USB drives with autorun enabled. Signs of infection include hundreds of connections to port 445 (SMB), do a netstat -on at the command prompt. Also access to admin shares are lost and other file shares could be affected.

Removal
First thing is to patch your machine with this security patch from MS: Microsoft Security Bulletin MS08-067 – Critical (KB958644)

Secondly, update your anti-virus software with the latest definitions. For a standalone removal tool, go to Trend Micro and download with the latest definition files:
Sysclean scan and removal
Latest Control Pattern file
Spyware detection and cleanup
Run sysclean.com once all files are extracted, and it will scan the current machine.

Funnily enough, we decided to go to PCWorld and buy the latest Kaspersky 2009 AV software for our standalone PCs. To our surprise it did not detect the virus at all, forums suggest the Kaspersky ruskies are working on a solution for detection and removal. Also our AV for the corporate network, eTrust by Computer Associates also did not initially detect it until a policy update was applied. According to the techs at CA, it was classed as low risk and not critical. Obviously CA were caught napping when the bulletin was released in October. Nod32 by Eset finds it quite happily without creating too much fuss, same goes for McAfee if you have the latest dats.

Information on the virus worm by McAfee

Even though they have marked this as low risk, it can be very disruptive. Losing access to file servers containing critical data for everyday operations isn’t exactly productive. I have also found the hammering of port 445 will slow your network down to a crawl as it will do this on every subnet you are connected to and try to do this for external IP addresses also.

facebook   twitter   email