Net-Worm.Win32.Kido.bt – Kaspersky’s alternative name for Conficker/downadup
After a bit of digging around, I finally found the Conficker worm being mentioned on Kaspersky’s website. It doesn’t help that they do not use the most common monickers for this but anyway. I am now beginning to understand why our copy of Kaspersky is not detecting the one we found on our network. Here is an excerpt of the description from their site. I have highlighted in bold/underline the problem:
—————————————————————————————————————–
This worm spreads via local networks and removable storage media. It is a PE DLL file. The components of the worm are between 155KB and 165KB in size. It is packed using UPX.
Installation
The worm copies its executable file to the Windows system directory as follows:
%System%\<rnd>.dll <rnd> is a string of random symbols
—————————————————————————————————————–
I hate to say this Kaspersky, but the infected file has varying permutations for the file extension. It is not just .DLL but it can be pretty much anything, from .txt to .png or .jpg. Basically, you cannot use the .DLL extension as the only method for detection and if this is the case, it is not going to find it. Perhaps the first variant “a” was originally a .DLL but not anymore and I believe the “b” version is much more widespread now. So how about taking a leaf out of Trend Micro’s book and look for behaviourial patterns instead of just by filename…
Kaspersky description for Net-Worm.Win32.Kido
Kaspersky method of removal. It may work on some versions of the virus
Recent Comments