Hello,

We have a big issue with this Net-Worm.Win32.kido.ih variation of Net-Worm.Win32.kido
Kaspersky Av for workstation 6.0.3.837 is detecting this Net-Worm.Win32.kido.ih but it can't delete or disinfect.
kaspersky says after detecting can't delete because there is not write access. we have try to delete in safe mode but can't delete. and also we have tried klwk tool but it won't detected also because Net-Worm.Win32.kido.ih definition file is not in that
tool.

So can someone help to remove this virus Net-Worm.Win32.kido.ih from our network because we have more than 500 clients infected by this virus. we have also installed the windows patch regarding this virus already. please check screen shots i have provide that is what we found on our systems. there is duplicate virus service & random dll

please help me ASAP.

Thank you!

I also facing this problem, where the kido.ih virus cant be deleted. I have try scanning in safe mode, and also rescue disk. But both method also failed.

Finally, I use AVZ to scan the system. Surprisingly, it can delete the file with "write access is denied". So, maybe you can try to scan the system with AVZ, which can be download here: http://www.z-oleg.com/avz4.zip

thanks for reply. what about the virus service? Is it getting deleted also? are you really sure about this?
we have a more than 500 pc's infected. So this will be really hard job.
.

HI,
I have the exactly same problem but avz doesnt work..

Look this thread.

davinci has posted a link from KL.

Dear Helmut,

I have tried that but won't help. That kaspersky tool won't detect Net-Worm.Win32.kido.ih variation.
So what should i do now?

Have you tried this.

And the utility klwk ?

Yes. but it won't detect Net-Worm.Win32.kido.ih variation of kido

Send the infected files to Kaspersky (newvirus@kaspersky.com) or send me the infected files (rar compressed and password protected "infected"), for review.

Dear Caos,

I think you didn't understand our situation. please read my 1st post.

The Kaspersky utility to remove this virus is klwk, it klwk don´t detect this variant, need samples for review and add to klwk utility.
It´s my opinion.

If you need a sample i can send it to you. how do i send it to you?

Send me one pm with the sample or upload the sample to www.rapidshare.com (winrar compressed and password protected "infected") and send me one pm with the link.

I have tried to do that but it says Upload failed. Please ask the administrator to check the settings and permissions. i'll tried with Rapaid share.

Tried with rapidshare, send me mp with the link.

Hello,
i am also interested in that version of kido worm, can you post info on the forum if you find some solution for it ?

tnx

Hello We have the same problem with this virus and the variants. To resolve the problem temporaly, we most go host by host doing the desinfection. We reload system in safe mode and then the file wich kaspersky detect but it doesn´t eliminated, we change the segurity permisions on the file, and then we eliminate the file. but it´s very important to install the parches of Windows, if you don´t apply the actualizations of windows, the machine infecte again. this virus use the port 445 to send very much traffic on the network and to generate an indisponible system.

Kaspersky it´s working on it.

We have exactly the same problem Please, if you find any solutions don't forget to post them here. Thank you in advance!

Oh, i hate this problem. And finaly I re-installed my system.

Dear Caos..

I'v got a "f@#k" serious problem with Kido..here is the samples (Kido ih-ef-hs) please help add it so new klwk can remove totally..thank you



Regards,
AryZzaA

Hi, AryZzaA!

It would be better to either remove that link from the forum or disable it. Better even: send Caos a PM. We are not supposed to post links to malware on this forum...

P.S.: In your case I would try blocking functionality the malware depends upon to isolate it:
* disable File and Printer Sharing + Microsoft Client in the Internet Connection settings on ALL interfaces.
* disable autorun on ALL drives and for all devices ( http://forum.kaspersky.com/index.php?showt...mp;#entry856180 )
* check the Task Scheduler service (you could even disable it)
* Do a search with gmer and post the results. There must be an unknown service + a file by the same name in the System32 folder

Paul

Hello,
yes everything that you have said is connected with blocking the worm, but what about removing it from the system ?
klwk util does not help with .ih version do you have any information about this ?

thanks

I think you should use a free rootkit remover tool like gmer to reveal what service is active and which file in the system32 folder is related to it. Then these should be removed - there is no KL tool available yet that can do this for you. So sorry.
P.S.: Keep in mind that NO cure will help unless you have patched the system for the Server service vulnerability!

Paul

Ok, cool i will try to see if i can do something with gmer, as for kl tool i am aware that there is no fix tool yet



Can you tell me on which Server service do you mean ? Is there something new or you think on this:
http://www.microsoft.com/technet/security/...n/MS08-067.mspx

Tnx for yours reply

That's exactly the one I'm talking about.

Paul

Yes

but that does not make changes in deleting infected files also there is a problem with windows scheduler which download
new malware all the time did you try to block this scheduler by windows domain controler policy ? Colud this help ?

because, we can find infected pc, and we can delete infected files but same machine get infected over and over again i really need some more info about this

tnx a lot.

br

I'm a VERY cruel person - on my own computer I have only 20 services left from the 64 or something that come with XP.

I'm sure the Scheduler service should be blocked if you want to beat this thing (I deleted it a long time ago because it keeps a random port open in the range of 1025-1032). I also deleted File & Printer Sharing and Microsoft Client from all network interfaces. In that way you get rid of Computer Browser, Workstation and the notorious Server service. But of course, in a corporate environment you can't do that. Disabling that stuff may help though - you have to give the malware a hard time to stay alive. That way you may see all kinds of error reports in the system logs. Working with Gmer is a must.

Paul

Yes, i need to work in corp env. so i can't do stuff like you did on your pc i will try to think of something with domain controller. I will scan with Gmer for sure

Thanks for your reply if you receive any kind of info about this problem please alert me at once ))

Hi all,

check out the following Microsoft Support Database Article for a current workaround:
http://support.microsoft.com/?scid=kb%3Ben...p;x=14&y=17

Kaspersky Lab Worm Killer Utility has been updated but the version for .ih variant is still in progress. So stay tuned...

Regards,
dawinci

There is not a way to fix this yet ?? I'm desperate...

Please don't leave us behind! Thank You!

Our network consisting of 600 clients and 70 servers went down totally because of this worm on the 5th of January, and we were promised a fix from Kaspersky within a day or two....still nothing

However, we have managed to manually (and with a little help from our SCCM server) clean the entire network! As long as you have a virusdefinition from around the 10th of January you can beat this thing. Here's a quick guide to how we did it:

1. ALL computers in your network must have the update KB958644! Download from a healthy pc and deploy either via SMS, SCCM or the Kaspersky admin kit, loginscript or manually. Remember to NEVER login to an infected PC with a domain account, use the local administrator!
2. Stop the SERVER service on all computers, except for your AD servers, I'm not sure the effect it might have on AD servers.
3. Believe it or not, Microsoft's malicious software removal tool removes the virus and the file that is locked after a reboot! First you need to disable autoplay, since if the virus has spread to some network shares (and it has), your computers will be infected again as soon as they try to connect to the shares. This can be done with a GPO, however, this doesn't work since the autorun.inf is still read, and that triggers the infection of your pc. Better way is to make Windows ignore autorun.inf files completely, and this is done with the following regfile: Save as regfile and import. This one works on both workstation and servers.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


4. After setting the value in the registry, run the Malicious software removal tool (called Windows kb - 890830-v2.6.exe) with the /q switch. Check the log in C:\Winnt\Debug\Mrt.log to see that the virus service and file has been deleted, or will be deleted after a reboot.

5. Go to the following key in the registry: HKLM\Software\Microsoft\Windows NT\Current Version\SvcHost. Doubleclick "netsvc" and check the value at the bottom to see if it matches the name you could see in the Mrt.log file in step 4. Remove the value.

6. Go to SERVICES, and enable BITS and Automatic updates again.

7. Reboot your Pc and enjoy a worm free machine.

A little tip though: Start with your servers, and if necessary, reboot them in safe mode to remove the infected files which Kaspersky should find on the shares.

Thanks for nothing to kaspersky for not fixing this for us....

Very sorry to let you know, but Microsoft seems to have issued a third patch for the same vulnerability:
http://www.microsoft.com/technet/security/...n/ms09-001.mspx
I could go on and on about the mistaken notion of patching as a solid approach to security issues, but I won't bother anyone with this. I have a feeling, that Microsoft doesn't really solve the problem, but just relocates physical addresses for the same vulnerability...

Paul

Hello, eveyone.

Here is some info from me about this worm.

- we have found the solution for remove this version of kido .IH

- apply MS patch first one
- disable scheduler over domain controller
- run full system scan with kav 6.0.3.837
- apply MS patch :

http://support.microsoft.com/?scid=kb%3Ben...p;x=14&y=17

*find it somewhere onto this site, i am very tired so i can't search any more sorry*

Reboot PC after that, i have information that we have cleaned about 100 of windows xp workstations by this solution.

I hope that this will help.

Hello,

After remove the virus do we have to remove that reg value?

Hello,

Maybe it is not vital to remove the value, but I do it anyway to be on the safe side. Speaking of item no.5 in my list of course. Leaving it in would make the computer check for a service that is no longer installed, probably making your pc boot slower or something

Hi all,

new Kaspersky KidoKiller Tool has been provided. Find it attached. Usage:

KidoKiller.exe -p %windir%\system32\

Regards,
dawinci

P.S. To use KidoKiller Tool with Administrationkit-Server use following article in Knowledge-DB

Good news. Thanks.

This one works on .ih?

Yes!

Yes. Generic detection for kido and variants, included ih.

Nice, will deploy at once!

Is there a logfile where you can see what the tool has done?

KidoKiller usage:

kidokiller.exe -p %windir%\system32\ > X:\logfile_%COMPUTERNAME%.txt (where drive X: is a mapped network drive)

Ok,
i have tried this app on ifected pc. There is no option to remove infected files from Windows XP SP3 all patches installed in normal mode,
user need to run this PC from some live CD OS and then to start kidokiller from USB disk and in that case worm was detected ?

Some ideas ?

Thank you all for your help mates!

Kidokiller detects end cures 1 file on my computers, but after a while this file appears again. I have applied Microsoft's patch for this vulnerability and disabled system restoration.

Anything else i could do to avoid this worm's regeneration?

Thanks !

Do you have some live cd ?

Or just to run safe mod on that pc ? and try to remove it from there ?

You have to disable autoplay, see my first post with the registry setting. The virus reappears because it connects to a network share that has the virus and an autorun.inf file. This is the same as an infected USB stick. After importing the registry setting a restart of the computer is required. Please check your servers for shares containing a hidden "Recycler" folder that contains a .vmx file. To see this you have to be able to see hidden files and protected operating system files.

cool.
key is created we will see now

Just as a reference, and an additional thing to try at the bottom of this article. Windows caches info about connected devices and maybe you have to delete this key...Make sure it is the correct one you delete!

http://www.cert.org/blogs/vuls/2008/04/the...ws_autorun.html