The tool is designed to treat a computer worm infected network Net-Worm.Win32.Kido (information from the website program)
Symptoms of the infection in the network
# If there zarazhnnyh computers in the local network increases the amount of network traffic, as with these computer network attack starts.
# Antivirus applications with an active firewall reports about the attack Intrusion.Win.NETAPI.buffer-ov erflow.exploit.
# It is impossible to access websites of the majority of antivirus companies, for example, avira, avast, esafe, drweb, eset, nod32, f-secure, panda, kaspersky, etc.
# An attempt to activate Kaspersky Anti-Virus or Kaspersky Internet Security with an activation code at a computer infected network worm Net-Worm.Win32.Kido, may fail and either of the errors: Activation error. Activation procedure completed with system error 2; Activation error. Unable to connect to server; Activation error. Server name can not be resolved.
Brief description of the family of Net-Worm.Win32.Kido. </ P>
# Creates a removable media (sometimes on public network shares) files autorun.inf and RECYCLED {SID <....>} RANDO M_NAME.vmx
# The system is stored in the form of a worm dll-file with a random name composed of letters, for example c: windowssystem32zorizr.dll
# It registers itself in services - also with a random name composed of letters, for example knqdgsm.
# It tries to attack network computers via 445 or 139 TCP port, using a vulnerability in the operating system Windows MS08-067.
# Refer to the following sites (we recommend configuring a network firewall rule to monitor treatment to them):
http://www.getmyip.org,
http://getmyip.co.uk,
http://www.whatsmyipaddress.co m, http : //www.whatismyip.org,
http://checkip.dyndns.org
Methods for removing
Removing the worm is produced using a special utility kk.exe.
Warning! For the purpose of protection from infection at all workstations and servers in the network is necessary to hold the next set of measures:
# Install the patch that covers the vulnerability MS08-067 (
http://www.microsoft.com/tech net / security / bulletin / MS08-067 .mspx), MS08-068 (
http://www.microsoft.com/tech net / security / bulletin / ms08-068 .mspx), MS09-001 (
http://www.microsoft.com/tech net / security / bulletin / ms09-001 .mspx).
# Make sure that the password is the local administrator account is resistant to cracking - The password must contain at least six characters, with different registers and / or numbers. Either change the previously set the local administrator password.
# Disable autorun of executable files from removable media.
# Block access to TCP-ports 445 and 139 using a network screen.
Removing the worm kk.exe utility can be run locally on the infected computer or centrally, if the network is deployed set of Kaspersky Administration Kit.