Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Infected: virus Net-Worm.Win32.Kido.ih

23 views
Skip to first unread message

itsallaobutgame

unread,
Mar 26, 2009, 1:38:10 AM3/26/09
to

Hi Friends

OS: Windows XP Sp2

Problem: Kasper 7.0 unable to delete WormWin32 Kido.ih. I am working
in an organization and my one of the LAB infected with that worm. I have
also tried KLWL, and kkiller utilites but they even did not detect this
version of KIDO.IH.

Symptoms: Kido.ih drops a dll file in system32 which has a different
name in each of my network PC. This file is sytem hidden and no one has
rights to remove or rename it. Even KAV 7.0 only shows the skip option
no delete no disinfect. This worm Also add a registry value which
disallow user to show hidden files or folders. It also creates its
SERVICE. When we attach any pen drive to the infected system pen drive
automatically infected with that worm and this worm creates Autorun.inf
and jwgkvsq.vmx file.

What I have tried: I tried every steps and able to remove that dll file
in Safe mode. But its automatically creates again because the whole LAN
is infected with that worm.

kido.ih sample which i found in my pen drive

Sample of Autorun.inf and jwgkvsq.vmx :
http://rapidshare.com/files/213226372/Win_32_Worm_kido.ih_Sample.rar.html
Password for Win_32_Worm_kido.ih_Sample.rar " kido " without
Quito


Please help


--
itsallaobutgame
------------------------------------------------------------------------
itsallaobutgame's Profile: http://forums.techarena.in/members/83696.htm
View this thread: http://forums.techarena.in/virus-spyware/1148204.htm

http://forums.techarena.in

1PW

unread,
Mar 26, 2009, 3:38:39 AM3/26/09
to
On 03/25/2009 10:38 PM, itsallaobutgame sent:

> Hi Friends
>
> OS: Windows XP Sp2
>
> Problem: Kasper 7.0 unable to delete WormWin32 Kido.ih. I am working
> in an organization and my one of the LAB infected with that worm. I have
> also tried KLWL, and kkiller utilites but they even did not detect this
> version of KIDO.IH.
>
> Symptoms: Kido.ih drops a dll file in system32 which has a different
> name in each of my network PC. This file is sytem hidden and no one has
> rights to remove or rename it. Even KAV 7.0 only shows the skip option
> no delete no disinfect. This worm Also add a registry value which
> disallow user to show hidden files or folders. It also creates its
> SERVICE. When we attach any pen drive to the infected system pen drive
> automatically infected with that worm and this worm creates Autorun.inf
> and jwgkvsq.vmx file.
>
> What I have tried: I tried every steps and able to remove that dll file
> in Safe mode. But its automatically creates again because the whole LAN
> is infected with that worm.
>
> kido.ih sample which i found in my pen drive
>
> Sample of Autorun.inf and jwgkvsq.vmx :
> http://rapidshare.com/files/213226372/Win_32_Worm_kido.ih_Sample.rar.html
> Password for Win_32_Worm_kido.ih_Sample.rar " kido " without
> Quito
>
>
> Please help

Please try the "Removal instructions" here:

<http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782790>

Follow with a scan with the free version of:

<http://www.malwarebytes.org/mbam-download.php>

Please make absolute sure that you have installed this patch:

<http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Volker Birk

unread,
Mar 27, 2009, 4:26:17 AM3/27/09
to
itsallaobutgame <itsallaobut...@donotspam.com> wrote:
> Problem: Kasper 7.0 unable to delete WormWin32 Kido.ih. I am working
> in an organization and my one of the LAB infected with that worm. I have
> also tried KLWL, and kkiller utilites but they even did not detect this
> version of KIDO.IH.

You definitely should flatten and rebuild every infected system.
Additionally you should find out, how this thing was spread.

You should not try to remove - this will not work in a secure way.

Yours,
VB.
--
Bitte beachten Sie auch die Rückseite dieses Schreibens!

Volker Birk

unread,
Mar 27, 2009, 4:29:55 AM3/27/09
to
1PW <barcrnah...@nby.pbz> wrote:
> Please try the "Removal instructions" here:
> <http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782790>

Better don't do this. Such "removal instructions" are a make-believe.

> Please make absolute sure that you have installed this patch:
> <http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>

Better read this text:

<http://technet.microsoft.com/en-us/library/cc512587.aspx>

0 new messages