Hi all,
i'm really really shocked, when i see that a LAN, with over 4000 computers, with Active Directory on Windows Server 2003, is almoast down because of a virus with Low profile.
Because of Group Policy who is blocking 3 unsuccesful loging tryings AD accounts are blocked almoast every 5 minutes.
Our Admins are overloaded (intelectually and fizically).
What about our chances for resolving this problem?
Full Version: Net-worm.win32.kido.fa
QUOTE(Gabriel Popa @ 8.01.2009 17:11) 
Hi all,
i'm really really shocked, when i see that a LAN, with over 4000 computers, with Active Directory on Windows Server 2003, is almoast down because of a virus with Low profile.
Because of Group Policy who is blocking 3 unsuccesful loging tryings AD accounts are blocked almoast every 5 minutes.
Our Admins are overloaded (intelectually and fizically).
What about our chances for resolving this problem?
i'm really really shocked, when i see that a LAN, with over 4000 computers, with Active Directory on Windows Server 2003, is almoast down because of a virus with Low profile.
Because of Group Policy who is blocking 3 unsuccesful loging tryings AD accounts are blocked almoast every 5 minutes.
Our Admins are overloaded (intelectually and fizically).
What about our chances for resolving this problem?
An IDS was enabled onto those computers?
You also need to be updated.
QUOTE(manawa @ 9.01.2009 06:42)
Yeah, this is it. Kasperski it's updated and OS are also updated. But the virus it's coming back. And it's not completely removed.
Computers infected doesn't have internet connection (not all). I saw that Microsoft OneCare it's desinfecting it, but Kasperski it's not.
So..what it's the resolving idea?
Hi,
please try latest klwk (Kaspersky Lab Worm Killer) version to remove this worm.
Usage:
klwk /path %WINDIR%\system32\
Regards,
dawinci
Update: How to fight network worm Net-Worm.Win32.Kido
please try latest klwk (Kaspersky Lab Worm Killer) version to remove this worm.
Usage:
klwk /path %WINDIR%\system32\
Regards,
dawinci
Update: How to fight network worm Net-Worm.Win32.Kido
QUOTE(dawinci @ 12.01.2009 05:56)
Hi,
please try latest klwk (Kaspersky Lab Worm Killer) version to remove this worm.
Usage:
klwk /path %WINDIR%\system32\
Regards,
dawinci
Update: How to fight network worm Net-Worm.Win32.Kido
please try latest klwk (Kaspersky Lab Worm Killer) version to remove this worm.
Usage:
klwk /path %WINDIR%\system32\
Regards,
dawinci
Update: How to fight network worm Net-Worm.Win32.Kido
Hi, I'm from México, sorry for my bad english:
Meanwhile you can unlock all your domain accounts using this tool:
http://www.joeware.net/freetools/tools/unlock/index.htm
Add a windows automatic task to execute a batch every minute, in the .bat you cant write something like this:
unlock . *
ping some IP
unlock . *
ping some IP
....
And/or edit your blocking domain politic.
(The ping is just to wait for a couple of seconds before the command executes again).
Also, you can set on the Netlogon.log to track down the computers who tries to auth sending bad passwords:
http://support.microsoft.com/kb/109626/en-us
To filter the Netlogon.log for easily tracking run this command:
findstr /I "0xC000006A" c:\winnt\debug\netlogon.log >> d:\save\failed.txt
0xC000006A error codes means bad pwds. ¿Why? because infected machines tries to guess users passwords sending a lot of auths, if a user tries to auth 4 times in a second, those entries are suspicious.
This .doc might be useful -> Tracking the Inside Intruder Using Net Logon Debug Logging:
http://download.microsoft.com/download/a/8...NetLogDebug.doc
Hope this helps.
Meanwhile you can unlock all your domain accounts using this tool:
http://www.joeware.net/freetools/tools/unlock/index.htm
Add a windows automatic task to execute a batch every minute, in the .bat you cant write something like this:
unlock . *
ping some IP
unlock . *
ping some IP
....
And/or edit your blocking domain politic.
(The ping is just to wait for a couple of seconds before the command executes again).
Also, you can set on the Netlogon.log to track down the computers who tries to auth sending bad passwords:
http://support.microsoft.com/kb/109626/en-us
To filter the Netlogon.log for easily tracking run this command:
findstr /I "0xC000006A" c:\winnt\debug\netlogon.log >> d:\save\failed.txt
0xC000006A error codes means bad pwds. ¿Why? because infected machines tries to guess users passwords sending a lot of auths, if a user tries to auth 4 times in a second, those entries are suspicious.
This .doc might be useful -> Tracking the Inside Intruder Using Net Logon Debug Logging:
http://download.microsoft.com/download/a/8...NetLogDebug.doc
Hope this helps.
Download this tool: http://support.microsoft.com/kb/890830 it worked for me for the kido.ih variant.
Greetings.
Greetings.
Use the new Kaspersky KidoKiller Tool:
Download and info:
http://forum.kaspersky.com/index.php?s=&am...st&p=864100
Download and info:
http://forum.kaspersky.com/index.php?s=&am...st&p=864100
QUOTE(dawinci @ 21.01.2009 12:41)
Hi all,
new Kaspersky KidoKiller Tool has been provided. Find it attached. Usage:
KidoKiller.exe -p %windir%\system32\
Regards,
dawinci
P.S. To use KidoKiller Tool with Administrationkit-Server use following article in Knowledge-DB
new Kaspersky KidoKiller Tool has been provided. Find it attached. Usage:
KidoKiller.exe -p %windir%\system32\
Regards,
dawinci
P.S. To use KidoKiller Tool with Administrationkit-Server use following article in Knowledge-DB
I have w32.kido.ia but klwk.exe tool doesn't not detect it, desinfect either.
Greetings, JK
Greetings, JK
QUOTE(jkc @ 21.01.2009 17:56)
I have w32.kido.ia but klwk.exe tool doesn't not detect it, desinfect either.
Greetings, JK
Greetings, JK
Have you tried with Kaspersky KidoKiller Tool ?
QUOTE(Caos @ 21.01.2009 12:15)
Have you tried with Kaspersky KidoKiller Tool ?
Yes, I have, and it worked fine, but it doesn't show an explanation like klwk.exe. KillKido.exe is from Kaspersky Labs too?
Thanks a lot,
JK
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.