Net-Worm.Win32.Kido

When launched, the worm injects its code in the address space of one of the active “svchost.exe” system processes. This code delivers the worm’s main malicious payload and:

• disables the following services:

  wuauserv
  BITS

• blocks access to addresses which contain any of the strings listed below:

  indowsupdate
  wilderssecurity
  threatexpert
  castlecops
  spamhaus
  cpsecure
  arcabit
  emsisoft
  sunbelt
  securecomputing
  rising
  prevx
  pctools
  norman
  k7computing
  ikarus
  hauri
  hacksoft
  gdata
  fortinet
  ewido
  clamav
  comodo
  quickheal
  avira
  avast
  esafe
  ahnlab
  centralcommand
  drweb
  grisoft
  eset
  nod32
  f-prot
  jotti
  kaspersky
  f-secure
  computerassociates
  networkassociates
  etrust
  panda
  sophos
  trendmicro
  mcafee
  norton
  symantec
  microsoft
  defender
  rootkit
  malware
  spyware
  virus

The worm may also download files from links of the type shown below:

http://<URL>/search?q=<%rnd2%>

rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date. The worm gets the current date from one of the sites shown below:

http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com

Downloaded files are saved to the Windows system directory under their original names.