Вирусна епидемия порази 9 милиона РС.Червеят Kido се разпространява мълниеносно.
Alien наистина вирусът е кофти, но има и лек.Не разбирам Английски но ви давам информацията от Кашперски лаб (която аз лично предпочитам като антивирусна и друга защита) за вируса.Ще съм благодарен за превода, за да знаем как да се предпазим от Кидо.Текстът е със съкращения.
Net-Worm.Win32.Kido
01.13.09 17:12 GMT | comments (7) Status : moderate risk
Kaspersky Lab has detected that multiple variants of Kido, a polymorphic worm, are currently spreading widely.Net-Worm.Win32.Kido exploits a critical vulnerability (MS08-067) in Microsoft Windows to spread via local networks and removable storage media.
The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines.
Users are strongly recommended to ensure their antivirus databases are up to date. A patch for the vulnerability is available from Microsoft.
A detailed description of Net-Worm.Win32.Kido.bt and removal instructions are available here.
Net-Worm.Win32.Kido.bt
Other versions: .dv
Detection added Jan 02 2009
Description added Jan 13 2009
Technical details
Payload
Removal instructions Technical details
This worm spreads via local networks and removable storage media. It is a PE DLL file. The components of the worm are between 155KB and 165KB in size. It is packed using UPX.
Installation
The worm copies its executable file to the Windows system directory as follows:
%System%\<rnd>.dll <rnd> is a string of random symbols
The worm creates a service to ensure it will be run each time Windows is launched on the victim machine. The following registry key is created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
The worm also modifies the following registry key value::
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "<original value> %System%\<rnd>.dll"
Network spreading
When infecting a computer, the worm launches an HTTP server on a random TCP port. This is then used to load the worm’s executable file to other computers.
The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability in the Server service. (More details about this vulnerability can be found on the Microsoft site:
www.microsoft.com).
The worm sends a specially crafted RPC request to remote machines, which causes a buffer overrun when the wcscpy_s function is called in netapi32.dll. This launches code which downloads the worm file, launches and installs it on the new victim machine.
In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the following passwords to brute force the account:
Spreading via removable storage media
The worm copies its executable file as follows:
<X>:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\<rnd>.vmx rnd is a string of random lower case symbols; X is the disk.
The worm also places the following file in the root of each disk:
<X>:\autorun.inf
This ensures the worm’s executable file will be run each time the user opens the infected disk using Windows Explorer. Payload
When launching, the worm injects its code into the address space of one of the “svchost.exe” system processes. This code is responsible for the worm’s malicious payload:
Disables system restore
Blocks addresses which contain the following strings:
indowsupdate
wilderssecurity
threatexpert
The worm also downloads a file from the link shown below:
http://trafficconverter.biz/*****/antispyware/loadadv.exe
This file is saved to the Windows system directory and then launched for execution. The link was not live at the time of writing.
The worm may also download files from links of the type shown below:
http://<URL>/search?q=<%rnd2%>
rnd2 is a random number. URL is a link formed by a special algorithm which uses the current date. The worm gets the current date from one of the sites listed below:
http://www.w3.orghttp://www.ask.comhttp://www.msn.comhttp://www.yahoo.comhttp://www.google.comhttp://www.baidu.comFiles downloaded by the worm are saved to the Windows system directory with their original name. Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, you can either use a special removal tool, which can be found here support.kaspersky.com or follow the instructions below:
Delete the system registry key shown below::
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
Delete "%System%\<rnd>.dll" from the system registry key parameter shown below: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs"
Reboot the computer.
Delete the original worm file (the location will depend on how the malicious program penetrated the computer).
Delete the file shown below:
%System%\<rnd>.dll <rnd> is a string of random symbols
Delete the following files from all removable storage media:
<X>:\autorun.inf <X>:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\<rnd>.vmx rnd is a string of random lower case symbols; X is the disk.
Download and install operating system updates from the following link:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspxUpdate your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus.