Jump to content
  • Announcements

    • Rodion Nagornov

      Недоступность форума // Forum maintenance   08/16/2017

      В связи с техническими работами форум будет недоступен с 20.00 (МСК) 18.08.2017. Максимальное время недоступности - до 20.00 (МСК) 20.08.2017. *** Due to maintenance forum will be unavailable since 8pm (+3 GMT) 18-Aug-2017. The longest possible time of maintenance - till 8.pm (+3 GMT) 20-Aug-2017.
manawa

Net-Worm.Win32.kido.ih can remove

Recommended Posts

manawa   

Hello,

 

We have a big issue with this Net-Worm.Win32.kido.ih variation of Net-Worm.Win32.kido

Kaspersky Av for workstation 6.0.3.837 is detecting this Net-Worm.Win32.kido.ih but it can't delete or disinfect.

kaspersky says after detecting can't delete because there is not write access. we have try to delete in safe mode but can't delete. and also we have tried klwk tool but it won't detected also because Net-Worm.Win32.kido.ih definition file is not in that

tool.

 

So can someone help to remove this virus Net-Worm.Win32.kido.ih from our network because we have more than 500 clients infected by this virus. we have also installed the windows patch regarding this virus already. please check screen shots i have provide that is what we found on our systems. there is duplicate virus service & random dll

 

please help me ASAP.

 

Thank you!

 

edit: topic closed after being bumped up after 30 months of inactivity.

Edited by richbuff

Share this post


Link to post
Share on other sites
namh   

I also facing this problem, where the kido.ih virus cant be deleted. I have try scanning in safe mode, and also rescue disk. But both method also failed.

 

Finally, I use AVZ to scan the system. Surprisingly, it can delete the file with "write access is denied". So, maybe you can try to scan the system with AVZ, which can be download here: http://www.z-oleg.com/avz4.zip

Share this post


Link to post
Share on other sites
manawa   
I also facing this problem, where the kido.ih virus cant be deleted. I have try scanning in safe mode, and also rescue disk. But both method also failed.

 

Finally, I use AVZ to scan the system. Surprisingly, it can delete the file with "write access is denied". So, maybe you can try to scan the system with AVZ, which can be download here: http://www.z-oleg.com/avz4.zip

 

thanks for reply. what about the virus service? Is it getting deleted also? are you really sure about this?

we have a more than 500 pc's infected. So this will be really hard job.

.

Edited by manawa

Share this post


Link to post
Share on other sites
manawa   
Look this thread.

 

davinci has posted a link from KL.

 

Dear Helmut,

 

I have tried that but won't help. That kaspersky tool won't detect Net-Worm.Win32.kido.ih variation.

So what should i do now?

 

 

 

Share this post


Link to post
Share on other sites
Caos   

Send the infected files to Kaspersky (newvirus@kaspersky.com) or send me the infected files (rar compressed and password protected "infected"), for review.

Share this post


Link to post
Share on other sites
manawa   
Send the infected files to Kaspersky (newvirus@kaspersky.com) or send me the infected files (rar compressed and password protected "infected"), for review.

 

 

Dear Caos,

 

I think you didn't understand our situation. please read my 1st post.

 

Share this post


Link to post
Share on other sites
Caos   
Dear Caos,

 

I think you didn't understand our situation. please read my 1st post.

 

The Kaspersky utility to remove this virus is klwk, it klwk don´t detect this variant, need samples for review and add to klwk utility.

It´s my opinion.

 

How to fight network worm Net-Worm.Win32.Kido

 

Methods of disinfection.

 

Regardless of the selected disinfection method, it is obligatory that the patch from Microsoft, that covers the vulnerability MS08-067, is installed. More information via the link: http://www.microsoft.com/technet/security/...n/MS08-067.mspx

 

A special utility should be used to remove this worm. Utility can be run locally on the infected PC, or remotely with the help of Kaspersky Administration Kit.

 

* To remove the virus locally:

 

1. Download the archive with the utility (klwk.zip) and extract the contents into a folder on the infected PC.

 

2. Run file run_klwk.bat

 

3. Wait till the scanning is complete.

 

* To remove the virus via Administration Kit:

 

1. Download the archive with the utility klwk.zip and extract contents into a folder.

 

2. In Administration Kit console create installation package for application klwk.com. In the installation package settings indicate command line parameters:

 

/path %WINDIR%\system32

 

3. Create a task for remote installation of the package to designated computers and run the task.

 

After the scanning is complete a window with the scan results will stay open, and it will be closed if any key is pressed.

 

To close this window automatically you can run the utility KLWK with additional parameter /y

 

/y /path %WINDIR%\system32

Edited by Caos

Share this post


Link to post
Share on other sites
manawa   
The Kaspersky utility to remove this virus is klwk, it klwk don´t detect this variant, need samples for review and add to klwk utility.

It´s my opinion.

 

If you need a sample i can send it to you. how do i send it to you?

 

Share this post


Link to post
Share on other sites
Caos   

Send me one pm with the sample or upload the sample to www.rapidshare.com (winrar compressed and password protected "infected") and send me one pm with the link.

Edited by Caos

Share this post


Link to post
Share on other sites
manawa   
Send me one pm with the sample or upload the sample to www.rapidshare.com (winrar compressed and password protected "infected") and send me one pm with the link.

 

 

I have tried to do that but it says Upload failed. Please ask the administrator to check the settings and permissions. i'll tried with Rapaid share.

Share this post


Link to post
Share on other sites
srle   
Tried with rapidshare, send me mp with the link.

 

 

Hello,

i am also interested in that version of kido worm, can you post info on the forum if you find some solution for it ?

 

tnx

 

Share this post


Link to post
Share on other sites
jyovani7   

Hello We have the same problem with this virus and the variants. To resolve the problem temporaly, we most go host by host doing the desinfection. We reload system in safe mode and then the file wich kaspersky detect but it doesn´t eliminated, we change the segurity permisions on the file, and then we eliminate the file. but it´s very important to install the parches of Windows, if you don´t apply the actualizations of windows, the machine infecte again. this virus use the port 445 to send very much traffic on the network and to generate an indisponible system.

Share this post


Link to post
Share on other sites
Goliva   
Yes. but it won't detect Net-Worm.Win32.kido.ih variation of kido

 

We have exactly the same problem :dash1: Please, if you find any solutions don't forget to post them here. Thank you in advance!

Share this post


Link to post
Share on other sites
aryzzaa   
Send the infected files to Kaspersky (newvirus@kaspersky.com) or send me the infected files (rar compressed and password protected "infected"), for review.

 

 

Dear Caos..

 

I'v got a "f@#k" serious problem with Kido..here is the samples (Kido ih-ef-hs) please help add it so new klwk can remove totally..thank you

 

 

 

Regards,

AryZzaA

Edited by Baz^^
Link removed.

Share this post


Link to post
Share on other sites
p2u   
here is the samples (Kido ih-ef-hs) please help add it so new klwk can remove totally..thank you

link : http://rapidshare.com/files/184732370/KIDO.zip.html

PASSWORD=12345

Hi, AryZzaA!

 

It would be better to either remove that link from the forum or disable it. Better even: send Caos a PM. We are not supposed to post links to malware on this forum... ;)

 

P.S.: In your case I would try blocking functionality the malware depends upon to isolate it:

* disable File and Printer Sharing + Microsoft Client in the Internet Connection settings on ALL interfaces.

* disable autorun on ALL drives and for all devices ( http://forum.kaspersky.com/index.php?showt...mp;#entry856180 )

* check the Task Scheduler service (you could even disable it)

* Do a search with gmer and post the results. There must be an unknown service + a file by the same name in the System32 folder

 

Paul

Edited by p2u

Share this post


Link to post
Share on other sites
srle   
Hi, AryZzaA!

 

It would be better to either remove that link from the forum or disable it. Better even: send Caos a PM. We are not supposed to post links to malware on this forum... ;)

 

P.S.: In your case I would try blocking functionality the malware depends upon to isolate it:

* disable File and Printer Sharing + Microsoft Client in the Internet Connection settings on ALL interfaces.

* disable autorun on ALL drives and for all devices ( http://forum.kaspersky.com/index.php?showt...mp;#entry856180 )

* check the Task Scheduler service (you could even disable it)

* Do a search with gmer and post the results. There must be an unknown service + a file by the same name in the System32 folder

 

Paul

 

Hello,

yes everything that you have said is connected with blocking the worm, but what about removing it from the system ?

klwk util does not help with .ih version do you have any information about this ?

 

thanks

 

Share this post


Link to post
Share on other sites
p2u   
Hello,

yes everything that you have said is connected with blocking the worm, but what about removing it from the system ?

klwk util does not help with .ih version do you have any information about this ?

I think you should use a free rootkit remover tool like gmer to reveal what service is active and which file in the system32 folder is related to it. Then these should be removed - there is no KL tool available yet that can do this for you. So sorry.

P.S.: Keep in mind that NO cure will help unless you have patched the system for the Server service vulnerability!

 

Paul

Edited by p2u

Share this post


Link to post
Share on other sites
srle   
I think you should use a free rootkit remover tool like gmer to reveal what service is active and which file in the system32 folder is related to it. Then these should be removed - there is no KL tool available yet that can do this for you. So sorry.

 

Ok, cool i will try to see if i can do something with gmer, as for kl tool i am aware that there is no fix tool yet :(

 

P.S.: Keep in mind that NO cure will help unless you have patched the system for the Server service vulnerability!

Paul

 

Can you tell me on which Server service do you mean ? Is there something new or you think on this:

http://www.microsoft.com/technet/security/...n/MS08-067.mspx

 

Tnx for yours reply

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×