Thursday, August 27, 2009

impact of kido virus

kido is a worm, A worm is a type of virus that replicates by resending itself as an e-mail attachment or as part of a network message. Unlike a regular computer virus, a worm is self-contained and does not need to be part of another program to duplicate itself. A worm hides in active memory and performs malicious acts, such as using parts of the computer’s system resources. Worms are usually invisible to the user and are designed to affect the computer’s performance. A worm take control of remote systems without any help from the users and can delete files, send documents via email, or encrypt files.

once you infected with kido the following things can happen
  • compromise your privacy by transmitting your personal information and downloading popup advertisements.
  • It can tracks which websites you visited or what terms you’ve typed. Spyware uses your information to deliver targeted ads to you. Also, data of your surfing activities may be sold to third parties.
  • Slow computer performance. A sluggish computer is one of the easiest signs that you have been infected with Kido. Kido and other unwanted sofware use your computer’s resources to do its nasty tasks such as displaying popups or tracking your surfing activities. If you see your computer is slowing down dramatically or crashing a lot, you may be infected with an unwanted software.
Sings of network infection
  • Network traffic volume increases if there are infected PCs in the network, because network attack starts from these PCs.
  • Anti-Virus product with enabled Intrusion Detection System informs of the attack Intrusion.Win.NETAPI.buffer-overflow.exploit
  • It is impossible to access websites of the majority of anti-virus companies, e.g. avira, avast, esafe, drweb, eset, nod32, f-secure, panda, kaspersky, etc. (and the list keep go on)
Termination of services
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)
Short description of the Net-Worm.Win32.Kido family
  • It creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)
  • It stores itself in the system as a DLL-file with a random name, for example, c:\windows\system32\zorizr.dll
  • It registers itself in system services with a random name, for example, knqdgsm.
  • It tries to attack network computers via 445 or 139 TCP port, using MS Windows vulnerability
  • It tries to connect to the sites of http://www.getmyip.org, http://getmyip.co.uk, http://www.whatsmyipaddress.com, http://www.whatismyip.org, http://checkip.dyndns.org, in order to learn the external IP address of the infected computer (recommended action is configuring a rule to monitor connection attempts to these sites it network firewall)
Note - if you cant access website due to kido infection, there is a small thing to try to access webistes, follow these steps
  • open miscosoft services window (start>run>type services.msc>press enter)
  • in the services find DNS Client service
  • now stop the service (right click on the service>click stop)
  • now try to open website (hope this helps, it really works for me in a kido infection case study)

No comments:

Post a Comment