Safety 101: Viruses and solutions

 
 
 

How to clean a corporate network from Net-Worm.Win32.Kido (aka Conficker, Downadup)?

Back to "Viruses and solutions"
2013 Aug 28 ID: 4673
 
 
 
 

A brief description of the Net-Worm.Win32.Kido family

  • The malware creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)
  • The malware stores itself in the system as a .dll file with a random name, for example, c:\windows\system32\zorizr.dll
  • The malware registers itself in system services under a random name, for example, knqdgsm.
  • It tries to attack network hosts via TCP port 445 or 139, using MS Windows vulnerability MS08-067.
  • The malware tries to access the following websites in order to learn the external IP address of the infected host (we recommend configuring a network firewall rule to monitor connection attempts to these websites):

Symptoms of infection

  • Network traffic volume increases if there are infected hosts in the network, because a network attack starts from these hosts.
  • The Anti-Virus product with enabled Firewall notifies the user of the Intrusion.Win.NETAPI.buffer-overflow.exploit attack.

    IMPORTANT!

    If you keep receiving attack alerts, it means that the remote host is infected (alert messages report its address). If possible, it must be disinfected in order to stop the attacks.
  • It is impossible to access websites of the major antivirus companies, e.g. avira, avast, esafe, drweb, eset, nod32, f-secure, panda, kaspersky, etc.
  • Kaspersky Anti-Virus keeps detecting and deleting files with random names and extensions (oufgt.quf, e.g.) in the system32 folder. A full scan does not detect anything on the host. 

    IMPORTANT!

    Repeated detection of such files does not prove that the host is infected. It means that there are infected network hosts in the domain having administrative permissions (access to $ADMIN on the attacked hosts allowing them to copy files into the system32 folder).
    Kaspersky Anti-Virus blocks infection attempts at the moment of copying the malicious program body. 
    It is necessary to identify and disinfect the infected hosts to stop the attacks. Domain controllers should be checked first.

Protection measures

MS Windows 95/MS Windows 98/MS Windows ME operating systems cannot be infected with this network worm.

We recommend that you do the following on all hosts to prevent workstations and file servers from becoming infected with the worm:

  1. Install Microsoft patches MS08-067MS08-068MS09-001 (on these pages, you should select the operating system of the infected PC, then download the corresponding patch and install it).
  2. Make sure you have a hack-proof local administrator password (it should contain at least 6 characters and have both uppercase and lowercase letters, numbers and special non-alphanumeric characters such as punctuation marks). 
  3. Disable autorun of executable files on removable drives:

    • download the KidoKiller (kk.zip) utility and extract it, for example, to disk C;
    • run the kk.exe file with -a switch from the command line prompt.
  4. Block access to TCP ports 445 and 139 in the network firewall. You only need to block these ports during the disinfection period. As soon as the disinfection process has been completed, the ports may be unblocked.

Local disinfection

  1. Download the  kk.zip archive and extract its content into a folder on an infected host. 
  2. Disable the File Anti-Virus component while using the utility. 
  3. Run the kk.exe file. 

    If kk.exe is run without any switches, it stops the active infection (deletes threads, unhooks functions), scans the most infectable areas, memory and flash drives and cleans the registry.
  4. Wait for the scan to complete.  

    When running the utility on a host with Agnitum Outpost Firewall installed, it is necessary to reboot once the utility has completed its task.
  5. Use Kaspersky Anti-Virus to scan the entire host.

Centralized disinfection (using Kaspersky Administration Kit)

  1. Download the kk.zip archive and extract its content into a folder.
  2. Create an installation package for the kk.exe application in the Administration Console. Select the Make installation package for specified executable file option at the Application step.

    Enter the -y switch in the Executable file command line (optional) field to close the console window automatically once the utility's task is complete.

     
     
  3. Use this package to create a group/global application deployment task for infected or suspicious network computers. 
  4. Disable the File Anti-Virus component in Kaspersky Anti-Virus on client PCs before running the utility.
  5. Start the task.

    IMPORTANT!

    It is necessary to disinfect the domain controllers and hosts with logged users from the Administrators and Domain Amdins domain groups first. Otherwise the disinfection will be ineffective and all domain hosts will become infected every 15 minutes.  

    If you run the utility via Administration Kit / Kaspersky Security Center, it will be started with SYSTEM account permissions making all network drives and shared folders inaccessible to it. 

    If you want the utility to generate log files on a network drive or a shared resource, the utility should be run using the run as command. 
  6. Once the utility's task is complete, scan each network computer with Kaspersky Anti-Virus.  

    When running the utility on a host with Agnitum Outpost Firewall installed, you should reboot the computer once the utility completes its task.

Switches to run kk.exe from the command prompt

-p <path for scanning> - Scan a particular directory.

-f - Scan hard disks and removable drives.

-n - Scan network drives.

-r - Scan flash drives, scan removable hard USB and FireWire disks.

-y - End program without pressing any key.

-s - Silent mode (without a black window).

-l <file name> - Write the information into a log file.

-v - Extended log maintenance (the switch -v only works in combination with the -l switch).

-z  - Restore the following services:

  • Background Intelligent Transfer Service (BITS), 
  • Windows Automatic Update Service (wuauserv), 
  • Error Reporting Service (ERSvc/WerSvc), 
  • Windows Defender (WinDefend), 
  • Windows Security Center Service (wscsvc).

- Restore display of hidden and system files.

-a - Disable autorun of all drives.

-m - Run in the monitoring mode to protect the system from getting infected.

-j - Restore the registry branch SafeBoot (if the registry branch is deleted, a computer cannot boot in Safe Mode).

-help - Show additional information about the utility.

For example, 

to scan a flash drive and write a detailed log into the report.txt file (which will be created in the folder containing kk.exe ), use the following command: 

kk.exe -r -y -l report.txt -v

to scan another disk or partition, D, for example, use the following command:

kk.exe -p D:\ 

Starting with version 3.4.6 the KidoKiller utility returns the following codes (%errorlevel%): 

3 - Malicious threads were found and eliminated (the worm was active). 

2 - Malicious files were found and deleted (the worm was inactive). 

1 - Malicious scheduler tasks or function hooks were detected (this PC is not infected but the network may contain infected PCs; the administrator should address this issue). 

0 - Nothing found.

 
 
 
 
Did the provided info help you?
Yes No