Help - Search - Members
Full Version: Net-Worm.Win32.kido.ih can remove
Kaspersky Lab Forum > English User Forum > Virus-related issues
Pages: 1, 2, 3
manawa
Hello,

We have a big issue with this Net-Worm.Win32.kido.ih variation of Net-Worm.Win32.kido
Kaspersky Av for workstation 6.0.3.837 is detecting this Net-Worm.Win32.kido.ih but it can't delete or disinfect.
kaspersky says after detecting can't delete because there is not write access. we have try to delete in safe mode but can't delete. and also we have tried klwk tool but it won't detected also because Net-Worm.Win32.kido.ih definition file is not in that
tool.

So can someone help to remove this virus Net-Worm.Win32.kido.ih from our network because we have more than 500 clients infected by this virus. we have also installed the windows patch regarding this virus already. please check screen shots i have provide that is what we found on our systems. there is duplicate virus service & random dll

please help me ASAP.

Thank you!

edit: topic closed after being bumped up after 30 months of inactivity.
namh
I also facing this problem, where the kido.ih virus cant be deleted. I have try scanning in safe mode, and also rescue disk. But both method also failed.

Finally, I use AVZ to scan the system. Surprisingly, it can delete the file with "write access is denied". So, maybe you can try to scan the system with AVZ, which can be download here: http://www.z-oleg.com/avz4.zip
manawa
QUOTE(namh @ 13.01.2009 11:10) *
I also facing this problem, where the kido.ih virus cant be deleted. I have try scanning in safe mode, and also rescue disk. But both method also failed.

Finally, I use AVZ to scan the system. Surprisingly, it can delete the file with "write access is denied". So, maybe you can try to scan the system with AVZ, which can be download here: http://www.z-oleg.com/avz4.zip


thanks for reply. what about the virus service? Is it getting deleted also? are you really sure about this?
we have a more than 500 pc's infected. So this will be really hard job.
.
ambadmin
HI,
I have the exactly same problem but avz doesnt work..
Helmut
Look this thread.

davinci has posted a link from KL.
manawa
QUOTE(Helmut @ 15.01.2009 18:37) *
Look this thread.

davinci has posted a link from KL.


Dear Helmut,

I have tried that but won't help. That kaspersky tool won't detect Net-Worm.Win32.kido.ih variation.
So what should i do now?


Caos
Have you tried this.

And the utility klwk ?
manawa
QUOTE(Caos @ 16.01.2009 16:03) *
Have you tried this.

And the utility klwk ?


Yes. but it won't detect Net-Worm.Win32.kido.ih variation of kido
Caos
Send the infected files to Kaspersky (newvirus@kaspersky.com) or send me the infected files (rar compressed and password protected "infected"), for review.
manawa
QUOTE(Caos @ 16.01.2009 16:09) *
Send the infected files to Kaspersky (newvirus@kaspersky.com) or send me the infected files (rar compressed and password protected "infected"), for review.



Dear Caos,

I think you didn't understand our situation. please read my 1st post.
Caos
QUOTE(manawa @ 16.01.2009 10:42) *
Dear Caos,

I think you didn't understand our situation. please read my 1st post.


The Kaspersky utility to remove this virus is klwk, it klwk don´t detect this variant, need samples for review and add to klwk utility.
It´s my opinion.

QUOTE
How to fight network worm Net-Worm.Win32.Kido

Methods of disinfection.

Regardless of the selected disinfection method, it is obligatory that the patch from Microsoft, that covers the vulnerability MS08-067, is installed. More information via the link: http://www.microsoft.com/technet/security/...n/MS08-067.mspx

A special utility should be used to remove this worm. Utility can be run locally on the infected PC, or remotely with the help of Kaspersky Administration Kit.

* To remove the virus locally:

1. Download the archive with the utility (klwk.zip) and extract the contents into a folder on the infected PC.

2. Run file run_klwk.bat

3. Wait till the scanning is complete.

* To remove the virus via Administration Kit:

1. Download the archive with the utility klwk.zip and extract contents into a folder.

2. In Administration Kit console create installation package for application klwk.com. In the installation package settings indicate command line parameters:

/path %WINDIR%\system32

3. Create a task for remote installation of the package to designated computers and run the task.

After the scanning is complete a window with the scan results will stay open, and it will be closed if any key is pressed.

To close this window automatically you can run the utility KLWK with additional parameter /y

/y /path %WINDIR%\system32
manawa
QUOTE(Caos @ 16.01.2009 16:18) *
The Kaspersky utility to remove this virus is klwk, it klwk don´t detect this variant, need samples for review and add to klwk utility.
It´s my opinion.


If you need a sample i can send it to you. how do i send it to you?
Caos
Send me one pm with the sample or upload the sample to www.rapidshare.com (winrar compressed and password protected "infected") and send me one pm with the link.
manawa
QUOTE(Caos @ 16.01.2009 16:22) *
Send me one pm with the sample or upload the sample to www.rapidshare.com (winrar compressed and password protected "infected") and send me one pm with the link.



I have tried to do that but it says Upload failed. Please ask the administrator to check the settings and permissions. i'll tried with Rapaid share.
Caos
Tried with rapidshare, send me mp with the link.
srle
QUOTE(Caos @ 16.01.2009 11:03) *
Tried with rapidshare, send me mp with the link.



Hello,
i am also interested in that version of kido worm, can you post info on the forum if you find some solution for it ?

tnx
Ypiamba
Hello We have the same problem with this virus and the variants. To resolve the problem temporaly, we most go host by host doing the desinfection. We reload system in safe mode and then the file wich kaspersky detect but it doesn´t eliminated, we change the segurity permisions on the file, and then we eliminate the file. but it´s very important to install the parches of Windows, if you don´t apply the actualizations of windows, the machine infecte again. this virus use the port 445 to send very much traffic on the network and to generate an indisponible system.
Caos
Kaspersky it´s working on it.
Goliva
QUOTE(manawa @ 16.01.2009 12:36) *
Yes. but it won't detect Net-Worm.Win32.kido.ih variation of kido


We have exactly the same problem dash1.gif Please, if you find any solutions don't forget to post them here. Thank you in advance!
ilikekasper
Oh, i hate this problem. And finaly I re-installed my system.
aryzzaa
QUOTE(Caos @ 16.01.2009 16:39) *
Send the infected files to Kaspersky (newvirus@kaspersky.com) or send me the infected files (rar compressed and password protected "infected"), for review.



Dear Caos..

I'v got a "f@#k" serious problem with Kido..here is the samples (Kido ih-ef-hs) please help add it so new klwk can remove totally..thank you



Regards,
AryZzaA
p2u
QUOTE(aryzzaa @ 17.01.2009 11:20) *
here is the samples (Kido ih-ef-hs) please help add it so new klwk can remove totally..thank you
link : http://rapidshare.com/files/184732370/KIDO.zip.html
PASSWORD=12345

Hi, AryZzaA!

It would be better to either remove that link from the forum or disable it. Better even: send Caos a PM. We are not supposed to post links to malware on this forum... wink.gif

P.S.: In your case I would try blocking functionality the malware depends upon to isolate it:
* disable File and Printer Sharing + Microsoft Client in the Internet Connection settings on ALL interfaces.
* disable autorun on ALL drives and for all devices ( http://forum.kaspersky.com/index.php?showt...mp;#entry856180 )
* check the Task Scheduler service (you could even disable it)
* Do a search with gmer and post the results. There must be an unknown service + a file by the same name in the System32 folder

Paul
srle
QUOTE(p2u @ 17.01.2009 09:29) *
Hi, AryZzaA!

It would be better to either remove that link from the forum or disable it. Better even: send Caos a PM. We are not supposed to post links to malware on this forum... wink.gif

P.S.: In your case I would try blocking functionality the malware depends upon to isolate it:
* disable File and Printer Sharing + Microsoft Client in the Internet Connection settings on ALL interfaces.
* disable autorun on ALL drives and for all devices ( http://forum.kaspersky.com/index.php?showt...mp;#entry856180 )
* check the Task Scheduler service (you could even disable it)
* Do a search with gmer and post the results. There must be an unknown service + a file by the same name in the System32 folder

Paul


Hello,
yes everything that you have said is connected with blocking the worm, but what about removing it from the system ?
klwk util does not help with .ih version do you have any information about this ?

thanks
p2u
QUOTE(srle @ 17.01.2009 15:53) *
Hello,
yes everything that you have said is connected with blocking the worm, but what about removing it from the system ?
klwk util does not help with .ih version do you have any information about this ?

I think you should use a free rootkit remover tool like gmer to reveal what service is active and which file in the system32 folder is related to it. Then these should be removed - there is no KL tool available yet that can do this for you. So sorry.
P.S.: Keep in mind that NO cure will help unless you have patched the system for the Server service vulnerability!

Paul
srle
QUOTE(p2u @ 17.01.2009 14:16) *
I think you should use a free rootkit remover tool like gmer to reveal what service is active and which file in the system32 folder is related to it. Then these should be removed - there is no KL tool available yet that can do this for you. So sorry.


Ok, cool i will try to see if i can do something with gmer, as for kl tool i am aware that there is no fix tool yet sad.gif

QUOTE(p2u @ 17.01.2009 14:16) *
P.S.: Keep in mind that NO cure will help unless you have patched the system for the Server service vulnerability!
Paul


Can you tell me on which Server service do you mean ? Is there something new or you think on this:
http://www.microsoft.com/technet/security/...n/MS08-067.mspx

Tnx for yours reply
p2u
QUOTE(srle @ 17.01.2009 16:37) *
Can you tell me on which Server service do you mean ? Is there something new or you think on this:
http://www.microsoft.com/technet/security/...n/MS08-067.mspx

That's exactly the one I'm talking about.

Paul
srle
QUOTE(p2u @ 17.01.2009 16:48) *
That's exactly the one I'm talking about.

Paul



Yes sad.gif

but that does not make changes in deleting infected files sad.gif also there is a problem with windows scheduler which download
new malware all the time sad.gif did you try to block this scheduler by windows domain controler policy ? Colud this help ?

because, we can find infected pc, and we can delete infected files but same machine get infected over and over again i really need some more info about this smile.gif

tnx a lot.

br
p2u
QUOTE(srle @ 17.01.2009 20:41) *
did you try to block this scheduler by windows domain controller policy ? Could this help ?

I'm a VERY cruel person wink.gif - on my own computer I have only 20 services left from the 64 or something that come with XP.

I'm sure the Scheduler service should be blocked if you want to beat this thing (I deleted it a long time ago because it keeps a random port open in the range of 1025-1032). I also deleted File & Printer Sharing and Microsoft Client from all network interfaces. In that way you get rid of Computer Browser, Workstation and the notorious Server service. But of course, in a corporate environment you can't do that. Disabling that stuff may help though - you have to give the malware a hard time to stay alive. That way you may see all kinds of error reports in the system logs. Working with Gmer is a must.

Paul
srle
QUOTE(p2u @ 17.01.2009 21:23) *
But of course, in a corporate environment you can't do that. Disabling that stuff may help though - you have to give the malware a hard time to stay alive. That way you may see all kinds of error reports in the system logs. Working with Gmer is a must.
Paul


Yes, i need to work in corp env. so i can't do stuff like you did on your pc smile.gif i will try to think of something with domain controller. I will scan with Gmer for sure smile.gif

Thanks for your reply if you receive any kind of info about this problem please alert me at once wink.gif))
dawinci
Hi all,

check out the following Microsoft Support Database Article for a current workaround:
http://support.microsoft.com/?scid=kb%3Ben...p;x=14&y=17

Kaspersky Lab Worm Killer Utility has been updated but the version for .ih variant is still in progress. So stay tuned...

Regards,
dawinci
Goliva
There is not a way to fix this yet ?? I'm desperate...

Please don't leave us behind! Thank You!
AndreasM
Our network consisting of 600 clients and 70 servers went down totally because of this worm on the 5th of January, and we were promised a fix from Kaspersky within a day or two....still nothing angry2.gif

However, we have managed to manually (and with a little help from our SCCM server) clean the entire network! As long as you have a virusdefinition from around the 10th of January you can beat this thing. Here's a quick guide to how we did it:

1. ALL computers in your network must have the update KB958644! Download from a healthy pc and deploy either via SMS, SCCM or the Kaspersky admin kit, loginscript or manually. Remember to NEVER login to an infected PC with a domain account, use the local administrator!
2. Stop the SERVER service on all computers, except for your AD servers, I'm not sure the effect it might have on AD servers.
3. Believe it or not, Microsoft's malicious software removal tool removes the virus and the file that is locked after a reboot! First you need to disable autoplay, since if the virus has spread to some network shares (and it has), your computers will be infected again as soon as they try to connect to the shares. This can be done with a GPO, however, this doesn't work since the autorun.inf is still read, and that triggers the infection of your pc. Better way is to make Windows ignore autorun.inf files completely, and this is done with the following regfile: Save as regfile and import. This one works on both workstation and servers.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


4. After setting the value in the registry, run the Malicious software removal tool (called Windows kb - 890830-v2.6.exe) with the /q switch. Check the log in C:\Winnt\Debug\Mrt.log to see that the virus service and file has been deleted, or will be deleted after a reboot.

5. Go to the following key in the registry: HKLM\Software\Microsoft\Windows NT\Current Version\SvcHost. Doubleclick "netsvc" and check the value at the bottom to see if it matches the name you could see in the Mrt.log file in step 4. Remove the value.

6. Go to SERVICES, and enable BITS and Automatic updates again.

7. Reboot your Pc and enjoy a worm free machine.

A little tip though: Start with your servers, and if necessary, reboot them in safe mode to remove the infected files which Kaspersky should find on the shares.

Thanks for nothing to kaspersky for not fixing this for us....
p2u
QUOTE(srle @ 17.01.2009 23:34) *
Thanks for your reply if you receive any kind of info about this problem please alert me at once wink.gif))

Very sorry to let you know, but Microsoft seems to have issued a third patch for the same vulnerability:
http://www.microsoft.com/technet/security/...n/ms09-001.mspx
I could go on and on about the mistaken notion of patching as a solid approach to security issues, but I won't bother anyone with this. I have a feeling, that Microsoft doesn't really solve the problem, but just relocates physical addresses for the same vulnerability...

Paul
srle
Hello, eveyone.

Here is some info from me about this worm.

- we have found the solution for remove this version of kido .IH

- apply MS patch first one
- disable scheduler over domain controller
- run full system scan with kav 6.0.3.837
- apply MS patch :

http://support.microsoft.com/?scid=kb%3Ben...p;x=14&y=17

*find it somewhere onto this site, i am very tired so i can't search any more sorry*

Reboot PC after that, i have information that we have cleaned about 100 of windows xp workstations by this solution.

I hope that this will help.

manawa
QUOTE(AndreasM @ 20.01.2009 14:17) *
Our network consisting of 600 clients and 70 servers went down totally because of this worm on the 5th of January, and we were promised a fix from Kaspersky within a day or two....still nothing angry2.gif

However, we have managed to manually (and with a little help from our SCCM server) clean the entire network! As long as you have a virusdefinition from around the 10th of January you can beat this thing. Here's a quick guide to how we did it:

1. ALL computers in your network must have the update KB958644! Download from a healthy pc and deploy either via SMS, SCCM or the Kaspersky admin kit, loginscript or manually. Remember to NEVER login to an infected PC with a domain account, use the local administrator!
2. Stop the SERVER service on all computers, except for your AD servers, I'm not sure the effect it might have on AD servers.
3. Believe it or not, Microsoft's malicious software removal tool removes the virus and the file that is locked after a reboot! First you need to disable autoplay, since if the virus has spread to some network shares (and it has), your computers will be infected again as soon as they try to connect to the shares. This can be done with a GPO, however, this doesn't work since the autorun.inf is still read, and that triggers the infection of your pc. Better way is to make Windows ignore autorun.inf files completely, and this is done with the following regfile: Save as regfile and import. This one works on both workstation and servers.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
4. After setting the value in the registry, run the Malicious software removal tool (called Windows kb - 890830-v2.6.exe) with the /q switch. Check the log in C:\Winnt\Debug\Mrt.log to see that the virus service and file has been deleted, or will be deleted after a reboot.

5. Go to the following key in the registry: HKLM\Software\Microsoft\Windows NT\Current Version\SvcHost. Doubleclick "netsvc" and check the value at the bottom to see if it matches the name you could see in the Mrt.log file in step 4. Remove the value.

6. Go to SERVICES, and enable BITS and Automatic updates again.

7. Reboot your Pc and enjoy a worm free machine.

A little tip though: Start with your servers, and if necessary, reboot them in safe mode to remove the infected files which Kaspersky should find on the shares.

Thanks for nothing to kaspersky for not fixing this for us....



Hello,

After remove the virus do we have to remove that reg value?
AndreasM
Hello,

Maybe it is not vital to remove the value, but I do it anyway to be on the safe side. Speaking of item no.5 in my list of course. Leaving it in would make the computer check for a service that is no longer installed, probably making your pc boot slower or something smile.gif
dawinci
Hi all,

new Kaspersky KidoKiller Tool has been provided. Find it attached. Usage:

KidoKiller.exe -p %windir%\system32\

Regards,
dawinci

P.S. To use KidoKiller Tool with Administrationkit-Server use following article in Knowledge-DB
Caos
Good news. Thanks.
AndreasM
This one works on .ih?
dawinci
QUOTE(AndreasM @ 21.01.2009 12:49) *
This one works on .ih?


Yes!
Caos
Yes. Generic detection for kido and variants, included ih.
AndreasM
Nice, will deploy at once!
AndreasM
Is there a logfile where you can see what the tool has done?
dawinci
QUOTE(AndreasM @ 21.01.2009 13:39) *
Is there a logfile where you can see what the tool has done?


KidoKiller usage:

kidokiller.exe -p %windir%\system32\ > X:\logfile_%COMPUTERNAME%.txt (where drive X: is a mapped network drive)
srle
Ok,
i have tried this app on ifected pc. There is no option to remove infected files from Windows XP SP3 all patches installed in normal mode,
user need to run this PC from some live CD OS and then to start kidokiller from USB disk and in that case worm was detected ?

Some ideas ?

Goliva
Thank you all for your help mates!

Kidokiller detects end cures 1 file on my computers, but after a while this file appears again. I have applied Microsoft's patch for this vulnerability and disabled system restoration.

Anything else i could do to avoid this worm's regeneration?

Thanks !

srle
QUOTE(Goliva @ 21.01.2009 15:13) *
Thank you all for your help mates!

Kidokiller detects end cures 1 file on my computers, but after a while this file appears again. I have applied Microsoft's patch for this vulnerability and disabled system restoration.

Anything else i could do to avoid this worm's regeneration?

Thanks !



Do you have some live cd ?

Or just to run safe mod on that pc ? and try to remove it from there ?
AndreasM
QUOTE(srle @ 21.01.2009 15:15) *
Do you have some live cd ?

Or just to run safe mod on that pc ? and try to remove it from there ?



You have to disable autoplay, see my first post with the registry setting. The virus reappears because it connects to a network share that has the virus and an autorun.inf file. This is the same as an infected USB stick. After importing the registry setting a restart of the computer is required. Please check your servers for shares containing a hidden "Recycler" folder that contains a .vmx file. To see this you have to be able to see hidden files and protected operating system files.
srle
QUOTE(AndreasM @ 21.01.2009 15:24) *
You have to disable autoplay, see my first post with the registry setting. The virus reappears because it connects to a network share that has the virus and an autorun.inf file. This is the same as an infected USB stick. After importing the registry setting a restart of the computer is required. Please check your servers for shares containing a hidden "Recycler" folder that contains a .vmx file. To see this you have to be able to see hidden files and protected operating system files.



cool.
key is created we will see now smile.gif
AndreasM
Just as a reference, and an additional thing to try at the bottom of this article. Windows caches info about connected devices and maybe you have to delete this key...Make sure it is the correct one you delete!

http://www.cert.org/blogs/vuls/2008/04/the...ws_autorun.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.