Nguyên văn tại [You must be registered and logged in to see this link.] :

Applies to:
Kaspersky Internet Security 6.0/7.0/2009
Kaspersky Anti-Virus 6.0/7.0/2009
Kaspersky Anti-Virus 6.0 for Windows Workstations MP1/MP2/MP3

Kaspersky Anti-Virus 6.0 for Windows Servers MP1/MP2/MP3
Kaspersky Administration Kit 6.0 MP1/MP2

[You must be registered and logged in to see this link.] informs Kaspersky Lab clients that there is an increase in incoming calls concerning infection of Windows based workstations and servers with network worm Net-Worm.Win32.Kido (aka Conficker, Downadup).



[You must be registered and logged in to see this link.]



[You must be registered and logged in to see this link.]



[You must be registered and logged in to see this link.]



[You must be registered and logged in to see this link.]



[You must be registered and logged in to see this link.]



[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.]

1. It creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)
2. It stores itself in the system as a DLL file with a random name, for example, c:\windows\system32\zorizr.dll
3. It registers itself in system services with a random name, for example, knqdgsm.
4. It tries to attack network computers via 445 or 139 TCP port, using MS Windows vulnerability MS08-067.

5. It tries to access the following websites in order to learn the external IP address of the infected computer (we recommend configuring a network firewall rule to monitor connection attempts to these websites):

• [You must be registered and logged in to see this link.]
  
• [You must be registered and logged in to see this link.]
  
• [You must be registered and logged in to see this link.]
  
• [You must be registered and logged in to see this link.]
  
• [You must be registered and logged in to see this link.]
  

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.]

	Useful references
	[You must be registered and logged in to see this link.]

1. Network traffic volume increases if there are infected PCs in the network, because network attack starts from these PCs.
2. Anti-Virus product with enabled Intrusion Detection System informs of the attack Intrusion.Win.NETAPI.buffer-overflow.exploit
3. It is impossible to access websites of the majority of antivirus companies, e.g. avira, avast, esafe, drweb, eset, nod32, f-secure, panda, kaspersky, etc.

4. An attempt to activate Kaspersky Anti-Virus or Kaspersky Internet Security with an activation code at a computer infected with the Net-Worm.Win32.Kido network worm may result in abnormal termination and output one of the following errors:

• Activation procedure completed with system error 2.
  
• Activation error: Server name cannot be resolved.
  
• Activation error. Unable to connect to server.
  

If Kaspersky Anti-Virus/ Kaspersky Internet Security keeps reporting activation errors during activation on a computer not infected with Net-Worm.Win32.Kido, please refer to the Useful Links. It contains descriptions of possible activation errors.

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

A special utility KidoKiller should be used to remove this worm.
MS Windows 95/MS Windows 98/MS Windows ME operating systems cannot be infected with this network worm.
To prevent all workstations and file servers from being infected with the worm, you are recommended to do the following:

• Install the Microsoft patch covering the vulnerabilities [You must be registered and logged in to see this link.], [You must be registered and logged in to see this link.], [You must be registered and logged in to see this link.] (on these pages you will have to select which operating system is installed on the infected PC, download corresponding patch and install it).
  

• Make sure to have a strong local administrator's password that cannot be easily hacked - the password should contain 6 letters minimum; use a mixture of uppercase and lowercase, numbers and non-alphanumeric characters such as punctuation marks.
  

• Disable autorun of executable files from removable drives by launching the file kk.exe with switch -a.
  
  For Windows XP/Server OS: Start - Run - type kk.exe -a - click OK
  For Windows Vista OS: Start - All Programs - Accessories - Run - type kk.exe -a - click OK
  
  
• Block access to TCP ports 445 and 139 in network firewall.
  
  You need to block these ports only during the disinfection process. As soon as you have the entire red disinfected, feel free to unblock the ports.
  

The utility KidoKiller can be run locally on the infected PC, or remotely with the help of [You must be registered and logged in to see this link.].

Running the utility via command line. In the table below there is a list of all switches that can be used with the utility.

• To start command line:
  
  
  
  • Windows Vista: Start > All Programs > Accessories > Command Prompt > type in cmd and press Enter
    
  • Windows XP/Server: Start > Run > type in cmd and press Enter
    


• To start the utility KidoKiller:
  
  
  
  • Save the file kk.exe on disk C, for example.
    
  • You have to specify location of the file kk.exe in order to start it. For example, if you have saved the utility on disk C, you have to type the command "C:\KK.exe" and press Enter.
    
  
  

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.][You must be registered and logged in to see this link.]

1. Download the archive [You must be registered and logged in to see this link.] and extract the contents into a folder on the infected PC.
2. If you have one of the following Kaspersky Lab applications installed on the infected PC:

- Kaspersky Internet Security 2009;
- Kaspersky Anti-Virus 2009;
- Kaspersky Internet Security 7.0;
- Kaspersky Anti-Virus 7.0;
- Kaspersky Internet Security 6.0;
- Kaspersky Anti-Virus 6.0;
- Kaspersky Anti-Virus 6.0 for Windows Workstations;
- Kaspersky Anti-Virus 6.0 SOS;
- Kaspersky Anti-Virus 6.0 for Windows Servers.
please disable the component File Anti-Virus of the Kaspersky Anti-Virus for run time of the utility.

3. Run the file kk.exe

If you run the kk.exe file without any switches, the utility will put a stop to active infection (kill threads and remove hooks), perform a memory scan and a scan of critical areas vulnerable to infection, clean up the registry, and scan flash drives.

When the scan is over an active window of the command prompt may be displayed, in order to minimize the window press any button. For the window of the command prompt to close automatically it is recommended to run the file kk.exe with switch -y.
4. Wait till the scanning is complete.
If Agnitum Outpost Firewall is installed on the computer where the utility KidoKiller has been launched, it is necessary to reboot the PC after the utility finishes its work.

5. Perform a full scan of your computer with Kaspersky Anti-Virus.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.]

1. Download the archive with the utility [You must be registered and logged in to see this link.]and extract its contents into a folder.

2. In [You must be registered and logged in to see this link.] create installation package for application KK.exe. In the installation package settings on the Application step select the variant Make installation package for specified executable file.

In the field Executable file command line (optional) use the switch -y to close the console window automatically once the utility work is over.







3. Use this package to create a group/global application deployment task for all infected or suspicious networked computers.

You can start the utility KidoKiller on all computers in your corporate network.



4. Please disable the component File Anti-Virus of the Kaspersky Anti-Virus on client PCs for run time of the utility.

5. Start the task.

If you run the utility via Administration Kit it will be started with SYSTEM account permissions making all network drives and shared folders inaccessible to it. If administrator wants the utility to write logs to a network drive or shared resource, the utility must be run using the 'run as' command.


6. Once the utility finishes its work, scan each computer in the network using your Kaspersky Anti-Virus.
If Agnitum Outpost Firewall is installed on the computer where the utility KidoKiller has been launched, it is necessary to reboot the PC after the utility finishes its work .

In a domain network it is important to first disinfect domains and computers with logged "Administrators" and "Domain Admins" users in the domain. Otherwise disinfection will fail - all PCs within the domain will keep getting infected every 15 minutes.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.]

Switch	Description
-p	Scan a defined folder.
-f	Scan hard disks.
-n	Scan network drives.
-r	Scan flash drives, scan removable hard USB and FireWire disks.
-y	End program without pressing any key.
-s	Silent mode (without a black window)
-l <file name>	Write info into a log.
-v	Extended log maintenance (the switch -v works only in combination with the -l switch).
-z	Restore the following services: Background Intelligent Transfer Service (BITS), Windows Automatic Update Service (wuauserv), Error Reporting Service (ERSvc/WerSvc), Windows Defender (WinDefend), Windows Security Center Service (wscsvc).
-õ	Restore display of hidden system files.
-a	Disable autorun from all drives.
-m	Monitoring mode to protect the system from getting infected.
-t	Clear the Registry of services that remain after removing the network worm using our products.
-j	Restore the registry branch SafeBoot (if the registry branch is deleted, computer cannot boot in Safe Mode).
-help	Show additional information about the utility.

For example, in order to scan a flash drive and write a detailed log into the file report.txt (which will be created in the setup folder of the file kk.exe), use the following command:

KK.exe -r -y -l report.txt -v
in order to scan another disk or partition, D for example:
KK.exe -p D:\

Starting with the version 3.4.6 the KidoKiller utility returns the following codes (%errorlevel%):

3 - Malicious threads were found and killed (worm was active).
2 - Malicious files were found and deleted (worm was inactive).
1 - Malicious scheduler jobs or function hooks were detected (this PC is not infected but the network might contain infected PCs - administrator should address this issue).
0 - Nothing found.

Tải Tool diệt chủng Kido xin lấy tại link sau với tên KidoKiller : [You must be registered and logged in to see this link.]