Home Malware Programs Worms Kido

Kido

Posted: December 19, 2010

Kido is a worm and a dropper Trojan that has seen recent updates that add security-attacking functions which can disable anti-malware and security applications on your PC. In addition to this, SpywareRemove.com malware experts have also found that even older versions of Kido can copy themselves through local networks and install other types of harmful software without your permission. Kido should be considered a serious threat to any PC that Kido infects, and updates to your anti-malware program's threat definitions should be thought of as essential for protecting your system from modern Kido attacks. Because the symptoms of a Kido infection can vary due to the instructions that Kido receives from various servers, you should use anti-malware products to detect and delete Kido infections whenever possible.

The Software Lockdown of a Kido Worm

Kido worms have been seen to come in several variants and updated versions; identifiers for different variants of Kido include Net-Worm.Win32.Kido.iq, Trojan-Dropper.Win32.Kido.o, Net-Worm.Win32.Kido.js, Trojan.DR.Kido.CE and Net-Worm.Win32.Kido.ip. However, all versions of Kido that SpywareRemove.com malware researchers have examined have had certain traits in common, such as:

  • An ability to spread via local networks and removable storage drives. Kido uses standard worm functions to do this, by creating clones of itself, hiding those clones with System and Hidden flags and then installing them with just-as-well-hidden Autorun.inf files. Keeping a close eye on your network security and storage device usage is crucial during any Kido infection, since Kido can use these means to infect other computers in rapid order.
  • SpywareRemove.com malware researchers have also found that all types of Kido worms can also engage in Trojan-like behavior that allows them to contact remote servers, download files and then install harmful programs. The exact types of files that are installed can vary, since even the older versions of Kido infections are able to receive files and instructions from over two dozen servers. Kido may attempt to install spyware that steal passwords, rogue security programs that create fake warning messages, ransomware Trojans that lock up your PC and other types of PC threats.
  • Kido is also known for Kido's broadly-targeted software and website-blocking features. Kido will block websites and programs by looking for certain text strings, such as 'wireshark,' 'mrt,' 'kaspersky,' 'securecomputing,' 'spyware,' 'Trojan' and 'virus,' among many others. This allows Kido to stop you from visiting PC security websites or from running PC security program, although you may be able to rename program files (preferably to a generic system process name, such as 'explorer.exe') to avoid Kido's blacklist. Accessing websites that Kido has blocked may require a reboot into Safe Mode.

Why You Want the Latest and Greatest in Security Software to Keep Kido Away

Although more primitive variants of Kido were relatively limited in their self-updating capabilities, more advanced variants of Kido have been known to update themselves from hundreds of separate servers. You may be able to notice this server activity by watching for unusual RAM usage, changes to your firewall or openings in your network ports. However, SpywareRemove.com malware researchers caution that a modern Kido worm's ability to reconfigure itself based on external instructions shouldn't be underestimated as a threat to your computer's privacy and security.

Once you've identified a potential Kido infection on your hard drive, you should immediately reboot into Safe Mode ('Safe Mode with Networking' if you require updates or Internet connectivity for any reason). This will shut down Kido's startup entries and let you run the software that can remove Kido without a blacklist getting in the way.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Kido may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%System%\[RANDOM FILE NAME].dll File name: %System%\[RANDOM FILE NAME].dll
File type: Dynamic link library
Mime Type: unknown/dll
%Temp%\[RANDOM FILE NAME].dll File name: %Temp%\[RANDOM FILE NAME].dll
File type: Dynamic link library
Mime Type: unknown/dll
%Program Files%\Internet Explorer\[RANDOM FILE NAME].dll File name: %Program Files%\Internet Explorer\[RANDOM FILE NAME].dll
File type: Dynamic link library
Mime Type: unknown/dll
%Program Files%\Movie Maker\[RANDOM FILE NAME].dll File name: %Program Files%\Movie Maker\[RANDOM FILE NAME].dll
File type: Dynamic link library
Mime Type: unknown/dll
%All Users Application Data%\[RANDOM FILE NAME].dll File name: %All Users Application Data%\[RANDOM FILE NAME].dll
File type: Dynamic link library
Mime Type: unknown/dll
%System%\[Random].tmp File name: %System%\[Random].tmp
File type: Temporary File
Mime Type: unknown/tmp
%Temp%\[Random].tmp File name: %Temp%\[Random].tmp
File type: Temporary File
Mime Type: unknown/tmp

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "[PATH OF WORM]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%

Related Posts