Net-Worm.Win32.Kido

Detect Date 04/09/2009
Class Net-Worm
Platform Win32
Description

When launched, the worm injects its code in the address space of one of the active “svchost.exe” system processes. This code delivers the worm’s main malicious payload and:

  • disables the following services:
    wuauserv
    BITS
  • blocks access to addresses which contain any of the strings listed below:
    indowsupdate
    wilderssecurity
    threatexpert
    castlecops
    spamhaus
    cpsecure
    arcabit
    emsisoft
    sunbelt
    securecomputing
    rising
    prevx
    pctools
    norman
    k7computing
    ikarus
    hauri
    hacksoft
    gdata
    fortinet
    ewido
    clamav
    comodo
    quickheal
    avira
    avast
    esafe
    ahnlab
    centralcommand
    drweb
    grisoft
    eset
    nod32
    f-prot
    jotti
    kaspersky
    f-secure
    computerassociates
    networkassociates
    etrust
    panda
    sophos
    trendmicro
    mcafee
    norton
    symantec
    microsoft
    defender
    rootkit
    malware
    spyware
    virus

The worm may also download files from links of the type shown below:

http://<URL>/search?q=<%rnd2%>

rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date. The worm gets the current date from one of the sites shown below:

http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com

Downloaded files are saved to the Windows system directory under their original names.