Kido
Kido is a worm and a dropper Trojan that has seen recent updates that add security-attacking functions which can disable anti-malware and security applications on your PC. In addition to this, SpywareRemove.com malware experts have also found that even older versions of Kido can copy themselves through local networks and install other types of harmful software without your permission. Kido should be considered a serious threat to any PC that Kido infects, and updates to your anti-malware program's threat definitions should be thought of as essential for protecting your system from modern Kido attacks. Because the symptoms of a Kido infection can vary due to the instructions that Kido receives from various servers, you should use anti-malware products to detect and delete Kido infections whenever possible.
The Software Lockdown of a Kido Worm
Kido worms have been seen to come in several variants and updated versions; identifiers for different variants of Kido include Net-Worm.Win32.Kido.iq, Trojan-Dropper.Win32.Kido.o, Net-Worm.Win32.Kido.js, Trojan.DR.Kido.CE and Net-Worm.Win32.Kido.ip. However, all versions of Kido that SpywareRemove.com malware researchers have examined have had certain traits in common, such as:
- An ability to spread via local networks and removable storage drives. Kido uses standard worm functions to do this, by creating clones of itself, hiding those clones with System and Hidden flags and then installing them with just-as-well-hidden Autorun.inf files. Keeping a close eye on your network security and storage device usage is crucial during any Kido infection, since Kido can use these means to infect other computers in rapid order.
- SpywareRemove.com malware researchers have also found that all types of Kido worms can also engage in Trojan-like behavior that allows them to contact remote servers, download files and then install harmful programs. The exact types of files that are installed can vary, since even the older versions of Kido infections are able to receive files and instructions from over two dozen servers. Kido may attempt to install spyware that steal passwords, rogue security programs that create fake warning messages, ransomware Trojans that lock up your PC and other types of PC threats.
- Kido is also known for Kido's broadly-targeted software and website-blocking features. Kido will block websites and programs by looking for certain text strings, such as 'wireshark,' 'mrt,' 'kaspersky,' 'securecomputing,' 'spyware,' 'Trojan' and 'virus,' among many others. This allows Kido to stop you from visiting PC security websites or from running PC security program, although you may be able to rename program files (preferably to a generic system process name, such as 'explorer.exe') to avoid Kido's blacklist. Accessing websites that Kido has blocked may require a reboot into Safe Mode.
Why You Want the Latest and Greatest in Security Software to Keep Kido Away
Although more primitive variants of Kido were relatively limited in their self-updating capabilities, more advanced variants of Kido have been known to update themselves from hundreds of separate servers. You may be able to notice this server activity by watching for unusual RAM usage, changes to your firewall or openings in your network ports. However, SpywareRemove.com malware researchers caution that a modern Kido worm's ability to reconfigure itself based on external instructions shouldn't be underestimated as a threat to your computer's privacy and security.
Once you've identified a potential Kido infection on your hard drive, you should immediately reboot into Safe Mode ('Safe Mode with Networking' if you require updates or Internet connectivity for any reason). This will shut down Kido's startup entries and let you run the software that can remove Kido without a blacklist getting in the way.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%System%\[RANDOM FILE NAME].dll
File name: %System%\[RANDOM FILE NAME].dllFile type: Dynamic link library
Mime Type: unknown/dll
%Temp%\[RANDOM FILE NAME].dll
File name: %Temp%\[RANDOM FILE NAME].dllFile type: Dynamic link library
Mime Type: unknown/dll
%Program Files%\Internet Explorer\[RANDOM FILE NAME].dll
File name: %Program Files%\Internet Explorer\[RANDOM FILE NAME].dllFile type: Dynamic link library
Mime Type: unknown/dll
%Program Files%\Movie Maker\[RANDOM FILE NAME].dll
File name: %Program Files%\Movie Maker\[RANDOM FILE NAME].dllFile type: Dynamic link library
Mime Type: unknown/dll
%All Users Application Data%\[RANDOM FILE NAME].dll
File name: %All Users Application Data%\[RANDOM FILE NAME].dllFile type: Dynamic link library
Mime Type: unknown/dll
%System%\[Random].tmp
File name: %System%\[Random].tmpFile type: Temporary File
Mime Type: unknown/tmp
%Temp%\[Random].tmp
File name: %Temp%\[Random].tmpFile type: Temporary File
Mime Type: unknown/tmp
Registry Modifications
HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "[PATH OF WORM]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.