By Lukis

Kido worm also known as Downadup, Downup and Conficker is continuing to spread more rapidly than ever, even though its already several months since it was first spotted. More than 9 million PC’s have been infected and Panda Security reporting infection rates of 6% in two million computers scanned via their website. China (the probable country of origin) is the most infected.

Kido exploits a known vulnerability in Windows 2000, Windows XP, Windows Server 2003 and Windows Vista (some versions even affect Windows 7) which was patched by Microsoft in October, 08. Unfortunately, a large number of PC users never bother to install Windows updates and hence are vulnerable to Kido worm. Symantec found an interesting correlation between countries with large number of pirated Windows users and countries infected on a large scale by Kido.

Top 10 Countries Infected by Kido

Top 10 Countries Infected by Kido

Downadap or Kido is remarkable in it’s sophistication. It can infect computers even if Autoplay feature is disabled for USB devices, by pretending to be a folder. It spreads via network as well as usb devices (pen drives, mp3 players etc). It resets your system restore points, disables Windows update, Windows Defender, Windows Security Center and even manipulates certain TCP settings to block access to security websites. It is also known to change access permissions. New variants even disable Firewall and may interface with Antivirus scans.

As soon as any removable drive is interted it creates a file called autorun.inf and a folder RECYCLED (commonly used by the system to store Recycle Bin files). It then goes on to create another file {SID<....>}RANDOM_NAME.vmx inside the RECYCLED folder. Mostantivirus softwares would be able to detect this *.vmx file, but once a system is infected won’t be properly able to eliminate the worm (thus you would end up with new detection everytime you insert a USB device).

Like most worms once Kido infects a machine it calls home and may download malicious files to the infected computer. What is really interesting is that, Kido uses a complicated algorithm to create a large list of new domain names everyday. The script to be downloaded may be hosted on any one of these domain names, thus making things even harder for the good guys. Kido also launches a brute force dictionary attack in order to guess the administrator password. Hence, it would be a good idea to change your administrator password to a non-dictionary word right now.

Kido worm has been dubbed as an epidemic and is the biggest worm epidemic in recent years. And it’s still evolving. Kaspersky is reporting that new variants have been spotted which further enhance the original worm’s funtionality. The new variants generate as many as 50,000 domain names everyday (compared to 250 in the older variants) from which it can download updates.

Protect yourself from Kido / Downadup / Conficker / Downup

If haven’t installed the Windows Updates and aren’t yet infected then consider yourself lucky. Install the suitable update for your system according to MS08-067, MS08-068 and MS09-001 right now.

Arrow How to Remove Kido / Downadup / Conficker / Downup

If you are already infected and if your Antivirus software can’t eliminate the worm you would need to download a removal tool offered by various security product vendors. I am listing all the major ones.

Arrow Microsoft : Windows Malicious Software Removal Tool

Arrow Kaspersky : KidoKiller

Arrow F-Secure : F-downadup

Arrow BitDefender : Win32.Worm.Downadup.Gen Remover

Arrow Spywarevoid : W32.downadup.c removal tool

Arrow Symantec : W32.Downadup Remover

Arrow ESET : Conficker Remover

Arrow Sophos : Conficker Cleanup Tool

Since Kido blocks access to security websites some of these links may not work for you. Keep trying till you find one that works or use a proxy service. Once you have removed Kido go ahead and install the patches mentioned above to protect your system from furute infections.

Kido has already created a lot of trouble including affecting the U.K. Ministry of Defence and bringing down Houston Municipal Court. How much of a nuisiance this worm is can be judged from the fact that Microsoft is offering $250,000 for the conviction of the creators of the worm. What is more, most people belive that the worst is yet to come. The worm has millions of botnets under its command but hasn’t delivered the payload to any of them. Some speculate that the worm creator may deliver it to all of the infected machines on a predetermined date (dubbed Big-Bang) creating massive trouble at one go.

P.S. : Various antivirus vendors use various naming conventions for worms. I am listing the aliases provided by opular antivirus vendors :

Symantec : W32.Downadup

F-Secure : W32/Downadup.A, W32/Downadup.B etc

Panda : Conficker.A, Conficker.B etc

Kaspersky : Net-Worm.Win32.Kido.bt, Net-Worm.Win32.Kido.ip, Net-Worm.Win32.Kido.iq etc

McAffe : W32/Conficker.worm

Bitdefender : Win32.Worm.Downadup.Gen