Worm.Win32.Kido.ih spreads mainly via local networks and removable storage media. This Win32.kido worm copies itself automatically to remote computers by creating temporary files with random extension. Follow the steps and tools given below to remove Net-Worm.Win32.Kido.ihworm/ rootkit completely.
More details of this Win32.Kido.ih Worm
The program itself is a Windows PE DLL file and unlike other worms it’s size could vary from 155KB to 165KB. Also this rootkit is packed using UPX.
How to locate this worm ?
Check the following windows location, where the worm automatically copies its exe files with random names.
%System%<random>dir.dll%Program Files%Internet Explorer<random>.dll %Program Files%Movie Maker<random>.dll %All Users Application Data%<random>.dll %Temp%<random>.dll %System%<random>tmp %Temp%<random>.tmp
Removal of NetWorm-Win32-Kido.ih
You can use the free rootkit removal tools listed in our RootKit Removal article for removing this worm completely or follow the manual steps below.
Manual steps for removing NetWorm Win32.Kido.ih Worm
Delete the registry key from
[HKLMSYSTEMCurrentControlSetServicesnetsvcs]
Delete “%System%<random>.dll” from system registry key value shown below:
[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvcHost]"netsvcs"
Reboot the system.
Delete the original worm file and it’s copies from the windows location show before.
Delete autorun files and .exe files located in removable storage [usb flash/pen drives]
<K>:autorun.inf
<K>:RECYCLERS-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%><random>.vmx
Update your current antivirus databases and perform a full scan of the computer to remove NetWorm Win32.Kido.ih (or you candownload latest Kaspersky AntiVirus 2010 or Norton Antivirus 2009 for fee).
 
0 comments:
Post a Comment