PLEASE TAKE SERIOUS ACTION ABOUT THIS!!!

Symptoms of network infection.

1. Network traffic volume increases if there are infected PCs in the network, because network attack starts from these PCs.

2. Anti-Virus product with enabled Intrusion Detection System informs of the attack Intrusion.Win.NETAPI.buffer-overflow.exploit

Short description of the Net-Worm.Win32.Kido family.

1. It creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)

2. It stores itself in the system as a DLL-file with a random name, for example, c:\windows\system32\zorizr.dll

3. It registers itself in system services with a random name, for example, knqdgsm.

4. It tries to attack network computers via 445 or 139 TCP port, using MS Windows vulnerability MS08-067.

5. It tries to connect to the following sites (we recommend configuring network firewall to monitor connection attempts to these sites):

• http://www.getmyip.org
• http://getmyip.co.uk
• http://www.whatsmyipaddress.com
• http://www.whatismyip.org
• http://checkip.dyndns.org
• http://schemas.xmlsoap.org/soap/envelope/
• http://schemas.xmlsoap.org/soap/encoding/
• http://schemas.xmlsoap.org/soap/envelope/
• http://schemas.xmlsoap.org/soap/encoding/
• http://trafficconverter.biz/4vir/antispyware/loadadv.exe
• http://trafficconverter.biz
• http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz

Methods of disinfection.

A special utility KK.exe should be used to remove this worm.

To prevent all workstations and file servers from being infected with the worm, you are recommended to do the following:

• Install the patch from Microsoft that covers the vulnerability MS08-067, MS08-068, MS09-001

• Make sure the password of the local administrator account is not obvious and cannot be hacked easily – the password should contain 6 letters minimum; use a mixture of uppercase and lowercase, numbers and non-alphanumeric characters such as punctuation marks.

• Disable autorun of executable file from removable drives.

To remove the virus locally:

1. Download the archive KK_v3.4.5.zip and extract the contents into a folder on the infected PC.

2. Run file KK.exe

When the scan is over an active window of the command prompt may be displayed on your computer monitor, in order to minimize the window press any button. For the window of the command prompt to close automatically it is recommended to run the utility KK.exe with the the parameter –y.

3. Wait till the scanning is complete.

If Agnitum Outpost Firewall is installed on the computer where the utility KK.exe is launched, in this case it is obligatory to restart your PC once the work of the utility is over.

4. Perform full scan of your computer with your Anti-Virus