How to clean a home PC from network worm Net-Worm.Win32.Kido (Conficker, Downadup)

0
(0)

1. Brief description of the Net-Worm.Win32.Kido family

­­­

  • It creates files autorun.inf and RECYCLED\{SID<….>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)
  • It stores itself in the system as a DLL file with a random name, for example, c:\windows\system32\zorizr.dll
  • It wp-signup.phps itself in system services with a random name, for example, knqdgsm
  • It tries to attack network computers via 445 or 139 TCP port, using MS Windows vulnerability MS08-067.
  • It tries to access the following websites in order to get the external IP address of the infected computer (we recommend configuring a network firewall rule to monitor connection attempts to these websites):
 

2. Symptoms of a network infection

  1. Anti-Virus product with enabled Intrusion Detection System informs about the attack of Intrusion.Win.NETAPI.buffer-overflow.exploit

    Repeating attack alerts proof that the remote computer (its address is reported in the alert) is infected. It is necessary to disnifect it, if possible.

  2. It is impossible to access websites of the majority of antivirus companies (e.g. mcafee.comkaspersky.com, etc).
  3. An attempt to activate Kaspersky Anti-Virus or Kaspersky Internet Security with an activation code on a computer infected with the Net-Worm.Win32.Kido network worm may result in abnormal termination and output one of the following errors:
    • Activation procedure completed with system error 2.
    • Activation error: Server name cannot be resolved.
    • Activation error. Unable to connect to server.
 

3. Protection measures

MS Windows 95 / MS Windows 98 / MS Windows ME operating systems cannot be infected with this network worm.

You are recommended to do the following on all hosts to prevent workstations and file servers from getting infected with the worm:

  1. Install Microsoft patches MS08-067MS08-068MS09-001 (on these pages you will have to select which operating system is installed on the infected PC, download corresponding patch and install it).
  2. Disable autorun of executable files on removable drives:
    • Download the file kidokiller.exe and save it to a separate folder on the computer (for example, on disk С).
    • Open the Run command: press Win and R keys on the keyboard simultaneously.
  • In the Open field of the Run window, enter explorer.exe.
  • Click OK.
  • Run the kk.exe file with the switch -a. For this, enter the following in the command prompt: С:\kk.exe -a (if the file was saved on disk С)
  • Press Enter on the keyboard.
 

4. Methods of disinfection

To prevent infection, do the following:

  1. Download the kidokiller.exe file and save it to a separate folder on the infected computer. You can find the info on how to download a file on the following pages:
  2. During the work of the utility disable File Anti-Virus if one of the following Kaspersky Lab applications is installed on the infected computer:

    Kaspersky Internet Security 6.0. / 7.0 / 2009 / 2010 / 2011 / 2012 / 2013 / 2014

    Kaspersky Anti-Virus 6.0. / 7.0 / 2009 / 2010 / 2011 / 2012 / 2013 / 2014

  3. Run the kk.exe file.

    If the kk.exe file is launched without any additional parameters, then the utility stops active infection (deletes streams, removes interceptions), scans most commonly infected areas, scans the memory, cleans the registry, and scans flash-drives.

  4. Wait until the scan is completed.

    When the scan is completed, press any key on the keyboard to close the utility.

    If Agnitum Outpost Firewall is installed on the computer where the KidoKiller utility has been launched, it is necessary to reboot the PC after the utility finishes its work.

  5. Scan the entire computer with:
    • Kaspersky Internet Security 2014 / 2013 / 2012
    • Kaspersky Anti-Virus 2014 / 2013 / 2012
 

5. Switches to run the kk.exe file from the command prompt

Switch Description
-f Scan hard disks.
-n Scan network drives.
-r Scan flash drives, scan removable hard  USB and FireWire disks.
-y End program without pressing any key.
-s Silent mode (without a black window)
-l <file name> Write info into a log.
-v  Extended log maintenance (the switch -v works only in combination with the -l switch).
-z  Restore the following services:

  • Background Intelligent Transfer Service (BITS),
  • Windows Automatic Update Service (wuauserv),
  • Error Reporting Service (ERSvc/WerSvc),
  • Windows Defender (WinDefend),
  • Windows Security Center Service (wscsvc).
-x  Restore display of hidden system files.
-a  Disable autorun from all drives.
m Monitoring mode to protect the system from getting infected.
-j  Restore the registry branch SafeBoot (if the registry branch is deleted, computer cannot boot in Safe Mode).
-help  Show additional information about the utility.

For example, in order to scan a flash drive and write a detailed log into the report.txt file (which will be created in the setup folder of the file kk.exe), use the following command:

KK.exe -r -y -l report.txt -v

Example of a command to scan another disk or partition DKK.exe -p D:\

Source : Official Kaspersky Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 41 times, 1 visits today)
Tagged: