Saturday, May 8, 2010

Cannot access Antivirus & Microsoft Websites (Net-Worm.Win32.Kido aka Conficker, Downadup)


Windows based workstations and servers are being infected by network worm and they cannot access any of the anti-virus sites and Microsoft sites. Even when you try to update the antivirus database, there will be an error regarding resolving online update servers DNS address. This infection is named as Net-Worm.Win32.Kido

Description of the Net-Worm.Win32.Kido family

1. It creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)

2. It stores itself in the system as a DLL-file with a random name, for example, c:\windows\system32\zorizr.dll

3. It registers itself in system services with a random name, for example, knqdgsm.

4. It tries to attack network computers via 445 or 139 TCP port, using MS Windows vulnerability MS08-067.

5. It tries to connect to the following sites in order to learn the external IP address of the infected computer (we recommend configuring a rule to monitor connection attempts to these sites it network firewall):

http://www.getmyip.org




Symptoms of network infection

1. Network traffic volume increases if there are infected PCs in the network, because network attack starts from these PCs.

2. Anti-Virus product with enabled Intrusion Detection System informs of the attack Intrusion.Win.NETAPI.buffer-overflow.exploit

3. It is impossible to access websites of the majority of anti-virus companies, e.g. avira, avast, esafe, drweb, eset, nod32, f-secure, panda, kaspersky, etc.
4. An attempt to activate Anti-Virus at a computer infected with the Net-Worm.Win32.Kido network worm may result in abnormal termination and give one of the following errors:

Activation procedure completed with system error
Activation error: Server name cannot be resolved
Activation error. Unable to connect to server
Kaspersky Lab has released a Kiddo Killer tool to remove this infection. (KK.exe)

You can download this tool from this Link

Methods of disinfection

MS Windows 95/MS Windows 98/MS Windows ME operating systems can't be infected with this network worm.

To prevent all workstations and file servers from being infected with the worm, you are recommended to do the following:

Install the patch from Microsoft that covers the vulnerability MS08-067, MS08-068, MS09-001 (on these pages you will have to select which operating system is installed on the infected PC, download corresponding patch and install it).

Make sure the password of the local administrator account is not obvious and cannot be hacked easily - the password should contain 6 letters minimum; use a mixture of uppercase and lowercase, numbers and non-alphanumeric characters such as punctuation marks.
Disable autorun of executable files from removable drives by launching the file kk.exe with -a switch.
For Windows XP/Server OS: Start - Run - type kk.exe -a - click OK
For Windows Vista OS: Start - All Programs - Accessories - Run - type kk.exe -a - click OK
Block access to TCP ports number 445 and 139 using a network screen.
You need to block these ports only while you perform the disinfection. As soon as you have the entire red disinfected, feel free to unblock the ports.
Running the utility via command line

To start command line:
Windows Vista: Start > All Programs > Accessories > Command Prompt > type in cmd and press Enter
Windows XP/Server: Start > Run > type in cmd and press Enter
To start the utility KidoKiller:
Save the file kk.exe on disk C, for example.
You have to specify location of the file kk.exe in order to start it. For example, if you have saved the utility on disk C, you have to type the command "Ñ:\KK.exe" and press Enter.
Type KK.exe –help to view the command line switches.

No comments:

Post a Comment