Kido worm also known as Downadup, Downup and Conficker is continuing to spread more rapidly than ever, even though its already several months since it was first spotted. More than 9 million PC’s have been infected and Panda Security reporting infection rates of 6% in two million computers scanned via their website. China (the probable country of origin) is the most infected.
Kido exploits a known vulnerability in Windows 2000, Windows XP, Windows Server 2003 and Windows Vista (some versions even affect Windows 7) which was patched by Microsoft in October, 08. Unfortunately, a large number of PC users never bother to install Windows updates and hence are vulnerable to Kido worm. Symantec found an interesting correlation between countries with large number of pirated Windows users and countries infected on a large scale by Kido.
Downadap or Kido is remarkable in it’s sophistication. It can infect computers even if Autoplay feature is disabled for USB devices, by pretending to be a folder. It spreads via network as well as usb devices (pen drives, mp3 players etc). It resets your system restore points, disables Windows update, Windows Defender, Windows Security Center and even manipulates certain TCP settings to block access to security websites. It is also known to change access permissions. New variants even disable Firewall and may interface with Antivirus scans.
As soon as any removable drive is interted it creates a file called autorun.inf and a folder RECYCLED (commonly used by the system to store Recycle Bin files). It then goes on to create another file {SID<....>}RANDOM_NAME.vmx inside the RECYCLED folder. Most antivirus softwares would be able to detect this *.vmx file, but once a system is infected won’t be properly able to eliminate the worm (thus you would end up with new detection everytime you insert a USB device).
Like most worms once Kido infects a machine it calls home and may download malicious files to the infected computer. What is really interesting is that, Kido uses a complicated algorithm to create a large list of new domain names everyday. The script to be downloaded may be hosted on any one of these domain names, thus making things even harder for the good guys. Kido also launches a brute force dictionary attack in order to guess the administrator password. Hence, it would be a good idea to change your administrator password to a non-dictionary word right now.
Kido worm has been dubbed as an epidemic and is the biggest worm epidemic in recent years. And it’s still evolving. Kaspersky is reporting that new variants have been spotted which further enhance the original worm’s funtionality. The new variants generate as many as 50,000 domain names everyday (compared to 250 in the older variants) from which it can download updates.
Protect yourself from Kido / Downadup / Conficker / Downup
If haven’t installed the Windows Updates and aren’t yet infected then consider yourself lucky. Install the suitable update for your system according to MS08-067, MS08-068 and MS09-001 right now.
How to Remove Kido / Downadup / Conficker / Downup
If you are already infected and if your Antivirus software can’t eliminate the worm you would need to download a removal tool offered by various security product vendors. I am listing all the major ones.
Microsoft : Windows Malicious Software Removal Tool
Kaspersky : KidoKiller
F-Secure : F-downadup (alternate link)
BitDefender : Win32.Worm.Downadup.Gen Remover Alternate link
Spywarevoid : W32.downadup.c removal tool
Symantec : W32.Downadup Remover
ESET : Conficker Remover
Sophos : Conficker Cleanup Tool
Since Kido blocks access to security websites some of these links may not work for you. Keep trying till you find one that works or use a proxy service. Once you have removed Kido go ahead and install the patches mentioned above to protect your system from furute infections.
Kido has already created a lot of trouble including affecting the U.K. Ministry of Defence and bringing down Houston Municipal Court. How much of a nuisiance this worm is can be judged from the fact that Microsoft is offering $250,000 for the conviction of the creators of the worm. What is more, most people belive that the worst is yet to come. The worm has millions of botnets under its command but hasn’t delivered the payload to any of them. Some speculate that the worm creator may deliver it to all of the infected machines on a predetermined date (dubbed Big-Bang) creating massive trouble at one go.
P.S. : Various antivirus vendors use various naming conventions for worms. I am listing the aliases provided by opular antivirus vendors :
Symantec : W32.Downadup
F-Secure : W32/Downadup.A, W32/Downadup.B etc
Panda : Conficker.A, Conficker.B etc
Kaspersky : Net-Worm.Win32.Kido.bt, Net-Worm.Win32.Kido.ip, Net-Worm.Win32.Kido.iq etc
McAffe : W32/Conficker.worm
Bitdefender : Win32.Worm.Downadup.Gen
or try bdtools.net from bitdefender for the its last variant. I did. It was the only site this worm let me access. their removal tool really work
The file available from bdtools.net is same as the one I have linked to. So both of them should be able to deal with Kido worm.
Thanks for the link though.
I have all symptoms on Vista but Removal tools eather die, or says system clean!!!
I believe the most definitive symptom is the presence of .vmx file on any usb device that is plugged into the system. All AV softwares should be able to detect this file and let you know if it’s kido/conficker/downadup infection.
If you are infected the dedicated tools are your best bet. I listed as many tools as I could find so that atleast some of them can get the work done. Give them all a try. If virus removal tools are dying try running them from safe-mode.
Hm, well I’ve run several cleaner utilities yesterday, and tried several AV’s but no-one reports anything, I even started to scan that vista partititon from XP partition which is clean, and could not detect anything, but I still can’t open microsoft.com, kaspersky.com, symantec, nod, outpost…
However I can download those AV’s etc from alternate locations…
Not being able to access security websites is one of the symptoms of Kiddo, but it’s exhibited by other malwares too. The best way to check is to see if .vmx file lands up in plugged in USB devices.
Btw, just in case check if anything is blocked in the hosts file (open it with notepad by typing C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS in Run command box)
Nice tip:)
I Found this virus 3 days ago in my network, but i have problem that kaspersky show the following message when find this virus. “write access is denied” file: c:\windows\bkqamc.dll
Note : my virus name is:
Net-Worm.Win32.Kido.em
Patch MS08-067.mspx Microsoft
can u help me plz?
Try with utility named unlocker, you can grab it from here http://ccollomb.free.fr/unlocker/ or some similar utility to unlock that file and try to delete that file manually. Hope that helpz!
Alex Pavic’s last blog post..how to test is variable even/odd in a loop and how to alternate row colors in table
try http://www.disinfecttools.com, the new location of the removal tool for the new conficker variant that is not yet blocked by the virus (bdtools.net is now). BitDefender moved quick 😉
Thanks. Link updated
Unfortunately its not as simple as removing a couple of files using unlocker.
did you try out the disinfection tools i mentioned in this post?
I have all the symptoms of this worm, but when I tried the BitDefender tool, it didn’t work. It says that the scan was clean! What can I do now? I’m not really proficient with computers…. 🙁
I would recomend to download and burn the BitDefender Rescue CD from here: http://download.bitdefender.com/rescue_cd/BitDefenderRescueCD_v2.0.0_16_03_2009.iso
After that insert the cd in your CD-Rom, restart your PC and boot from the it. You will then enter a Linux OS where you can scan and remove viruses with the bitdefender scanner.
You can find a tutorial on how to do this here: http://www.bitdefender.ro/KB417
Use this link for the How To tutorial, the one in my first comment was in Romanian : http://www.bitdefender.com/KB417
I have tried Symantec standalone tool.
but there was no use of that …..
I am not able to download from other antivirus websites.
when i am trying for that its redirecting me to my local host.
are you sure you have conficker? if the tool says you are clean, maybe is something else. can you access any security vendors sites?
Try this : ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip
Among other things try :
i) Install all required patches from microsoft
ii) Update kaspersky and run it under Safe Mode.
Try using a proxy to access blocked security websites.
Just google for proxy sites ( https://proxy.org/ https://proximize.me/ , https://launchwebs.org are three secure proxy services).
Please help me D: i cannot download anything and my antivirus expired and this virus is getting rlly annoying it closes pages and so does msn… i think
but it does closes the pages from nowhere and i cant download anything D:…any tip please?
Scans aren’t finding anything but I still have symptoms. Sigh.. can’t download anything from Microsoft.
Try downloading from cyber-cafe or from friends computer or using linux.
Remember that av providers also offer phone support. So you can always use that if you absolutely can’t figure out how to solve the problem.
[…] http://support.kaspersky.com/faq/?qid=208279973 http://pallab.net/2009/03/12/how-to-remove-kido-downadup-downup-conficker/ […]
guys can you help me please… i have this virus and it wont let me download ANYTHING
i cannot download absolutly anything it closes itself rlly fast and so it does when i try to type antivirus…
i had an antivirus that expirated alrdy so i dont have any right now…
u guys have any solution for this without downloading? cuz im desesperated D:….
Manual removal is hard. Some instructions are available here. Better way is to download the kiddo removal tools from another machine and run them.
conflicker – I hate this.
I formatted my drive when I had this virus.
Cool, but how old is this post?
The post is written in very a good manner and it entails many useful
information for me. I am happy to find your distinguished way of
writing the post. Now you make it easy for me to understand and
implement the concept.