We are dealing with Net-Worm.Win32.Kido.gy virus right now. If anyone has any technical details about this virus?

I have checked a few other viruses in this family, but this one seems different. Thanks a lot.

Hello,

please checked this link http://www.microsoft.com/security/portal/E...2%2fConficker.B

Thanks for the reply. Now I understand this virus better. There is another behavior of this virus: on the infected computers, even Kaspersky has the latest virus database, it still not detecting this virus!

Even though I managed deleted the virus file under %system%system32 folder, the virus can still reinfect the computer.

Has anyone have any way or suggestions to defeat the virus?

Hi Dennis,

please find latest klwk (Kaspersky Lab Worm Killer) utility here.
Usage:

klwk /path %WINDIR%\system32\

Regards,
Daniel


Update: How to fight network worm Net-Worm.Win32.Kido

Hello,

This is good solution but it won't clean Net-Worm.Win32.Kido.ih variation of this. Can you please add this definition in to this tool.

I also found this kido.ih virus, which cannot be deleted by Kaspersky. However, scanning the system32 folder using AVZ help me to get rid of this virus. You might try this.

Some versions of this worm seem to spread also through autorun on removable devices. It might be a good idea to disable this feature on ALL devices to prevent infection in the future. Here's how to do that. Open Notepad, save the following with the .reg extension (for example DisableAllAutorun.reg) and merge it. Click 'OK' when asked.

P.S.: Eplanation of the last 2 parameters:
1) @="@SYS:DoesNotExist = Windows will think that there is no such thing as autorun.inf; therefore such files will never run by themselves.
2) AutoplayHandlers\CancelAutoplay\Files = text parameters for files that should NEVER launch automatically. '*' is 'all'; in our case 'none'. This is to fight autorun files that have other extensions.
P.S.2: Don't forget to check Scheduled Tasks through the Scheduler Service!

Paul

Hi all,

new Kaspersky KidoKiller Tool has been provided. More infos here.

Regards,
dawinci

It's still ineffectual against many kido variants.

Kido infections have been ongoing for months, and no av vendor has been able to deal with them effectively - including Kaspersky.

KAV6 with the latest sigs will detect .ix, but that's where the fun stops.
Neither it, nor the latest freestanding app will remove it, and rthe freestanding app won't even detect it.

This is not a condemnation of Kaspersky, Symantec's Kido killer is just as ineffective.

Oh sure - they'll clean up versions that are many iterations old - but won't touch anything current, like ih or ix.

If my infections were that old - we'd be offline by now.

So, I'm doing what many admins are doing - falling back to cl tools, combined with years of experience as to what files should be changing, typical sizes, etc.

What's my point?

That the av industry has lost this little war - though they've won a few battles.

Regardless of how you rationalize it, the industry has failed to provide either protection or removal that meets the needs of subscribers.

The av industry does not state that they can give you 100% protection from everything. Virus/malware/...........everything is becoming more complicated as we speak but in response the av industry is finding ways to fight against these online threats.

Please excuse me if it sounds like I was delivering an opinion - I wasn't.

I'm delivering a verdict.

The whole point of av software is to save time.

AV software on the whole isn't all that great, with certain exceptions - Kaspersky being one - AVG being the other.

There have been spates before of malware that seemed to run rampant for a while, but was generally brought to heel fairly quickly.

In this case, that hasn't happened, and shows no signs of happening.

I never asked for a 100% guarantee.

I do demand that av software that detects a virus be able to remove it.

This is NOT a new outbreak - just morphed versions.

And no av vendor out there really has a handle on it.

It's a bit disturbing that months after the outbreak started, they still have to refer people to 3rd party software to remove it.

On a related rant - if I kick in a few extra bucks per license when I renew next year, will Kaspersky PLEASE buy some bandwidth?

Please specify against which kido versions the new KKiller 3.4.1 isn't usable. I would like to test it by myself... thanks

Sr.
I think not correct what you stated, I think we are reaching that point of a lower so strong because the administrators are unprepared to the point of not keeping their systems current. If all the operating systems in the world are updated with security patches ps, Kido Clearly the infection would have been a passenger or not the creator would have created the virus, because it exploits a security hole in OS
Att,

Actualize is not complic

Agree 100%.

Admin's need to step up and do their job by ensuring they are doing everything they can to protect the network they support. I see it in these forums, and elsewhere, everyday how lazy people are; coming in there ranting because they didn't take the correct steps to protect their assets. It's not Kaspersky's fault that people get Virus', and Admin's need to own up and take responsibility for their own mistakes. This is Kido worm isn't new, it's been in the news atleast 4 times now over the past 6 months, and everything points back to keeping your computers updated with MS Patches. I don't have it on my network, and I support multiple sites. If people don't want to own up to that fact then I don't know what to say -- but to come in here complaining about your own faults as a Network Admin, I have no pitty for that.

Stop blaming Kaspersky and other vendors for a mistake that is clearly your own -- own up to it, and learn from it. It's really that simple.

Good post Isaias.

If anyone really wants to place blame, blame the makers of the malware/virus etc. Now, since this is not a perfect, "no harm to anyone or anything", world, people have to move to the next step. Since blaming the makers of malware isn't going to help, we have to install the patches on systems as they are discovered.

However, there are some cases where patches can't be installed or need to be tested thoroughly before being installed. This isn't usually the case for specific patches but can be for the multiple fix patches. Obviously I have to relate this to Microsoft in this case in dealing with the .Kido situation (yes I know they had a patch before it became a big problem). The .kido is not a simple virus either. With its site blocking, using system privileges, broadcasting, filesharing, downloading, etc, it is a pretty well done piece of software.

Also, some places have equipment under their roof that is not under their control or is so sensitive in its use that installation of antivirus software, patches/updates, remote control software, etc. is risky and takes time to test. We have one PC specifically, that has been patched (I am going to review the full situation) but with Kaspersky on it and running in active mode (or whatever you call it) causes the PC to reboot when the virus activates in some form. This PC provides a critical function to the department it is in so I have set Kaspersky to watch but not do anything. I try something different every now and then and I know eventually I will work it out.

Admittedly our environment needs to be more secure as far as new installations (not getting infected before updates can be applied), keeping updated on patches. A lot of money donated and time to update all the PCs and have WinXP installed on them would be just peachy. That dream won't be a reality for quite a while however. My hope is that we learn from these types of viral situations and move to change our environment to handle them better. I don't mean just fix what happened and change a few things. I mean think about different situations that COULD happen and see how we can take REAL steps and TEST them.