Win32.Kido.ih Characteristic


This is a network worm type. It spreads via local networks and removable storage media. When it copies itself to remote computers, the worm creates a temporary file with a random extension. The program itself is a Windows PE DLL file. The worm components vary in size from 155KB to 165KB. It is packed using UPX.
Installation
The worm copies its executable file with random names as shown below:

%System%\<rnd>dir.dll
%Program Files%\Internet Explorer\<rnd>.dll
%Program Files%\Movie Maker\<rnd>.dll
%All Users Application Data%\<rnd>.dll
%Temp%\<rnd>.dll
%System%\<rnd>.tmp
%Temp%\<rnd>.tmp

<rnd> is a random string of symbols.
You can use Windows Search to find them. Remember to select "Search system folder", "Search hidden files and folders", and "Search subfolders" under More advanced options.

In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
The worm also modifies the following system registry key value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = " %System%\<rnd>.dll"


So, how to remove it?
Just get the latest update of your antivirus...
Or you can manually remove it, see my next post here

No comments:

Post a Comment