Overview of sample Net-Worm.Win32.Kido.ih

Classified as extremely toxic Net-Worms, they have a strong spread attribute through computer networks, their most distinguishing feature is self-replication and spread without the need for user impact . In particular, the worm regularly searches for security holes in system software that runs on connected computers or the Internet, through which they can easily spread and spread to computers. calculated through pre-prepared special packets (collectively referred to as exploits), and the result is that the malicious code of one part or all of this "worm" will enter the victim's computer and automatically Activate their operating modes. Sometimes, these back and forth packets only contain a certain part of the worm, and these pieces of code are responsible for downloading and executing their remaining modules in a different way. On the other hand, some types of worms that spread and spread through networks tend to spread simultaneously, to speed up the replication that they have previously infiltrated into the victim's computer.

According to information from Kaspersky Lab, this sample appeared on February 20, 2009 at 07:04 GMT, officially launched and spread on August 20, 2009 at 19:33 GMT and was discovered at the same time. August 20, 2009 at 14:52 GMT.

Describe technical details

This worm is mainly spread through local network and external storage devices such as USB, portable hard drive . itself is based on Windows PE DLL file system, the general capacity fluctuates within 155KB to 165KB and packed by UPX method.

When installed, they will back up the executable files to the system with random names as follows:

 % System% dir.dll 
 % Program Files% Internet Explorer.dll 
 % Program Files% Movie Maker.dll 
 % All Users Application Data% .dll 
 % Temp% .dll 
 % System% tmp 
 % Temp% .tmp 

In it are random strings. Next, to ensure that these executable files are activated the next time the system boots, they continue to create Windows startup services and point the links to the above * .exe files. The following registry key is created in this step:

 [HKLMSYSTEMCurrentControlSetServicesnetsvcs] 

At the same time, they will change the value of the following registry key:

 [HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvcHost] 
 "netsvcs" = "% System% .dll" 

Cloning process

To begin this process, they will 'create' an HTTP server system on any TCP port, then use this port to download the remaining executables to other computers on the same network. . They will acquire the IP addresses of computers in the same network layer as other infected computers, and perform attacks through the MS08-067 vulnerability of the Server service. Specifically, they will send RPC - prepared packets to the controlled computers. This process will cause memory overflow, and a data area will be corrupted when the wcscpy_s functions are invoked in netapi32.dll, and will continue to download the executable files of the worm to the victim's computer. Multiply, and automatically activate them. And this process will continue on the next infected computer.

To exploit the vulnerabilities in the software mentioned above, this worm will find ways to connect to the Administrator account on the controlled computer, and they will use the following passwords to apply. into that account:

99999999
9999999
999999
99999
88888888
8888888
888888
88888
8888
888
88
8
77777777
7777777
777777
77777
7777
777
77
7
66666666
6666666
666666
66666
6666
666
66
6
55555555
5555555
555555
55555
5555
555
55
5
44444444
4444444
444444
44444
4444
444
44
4
33333333
3333333
333333
33333
3333
333
33
3
22222222
2222222
222222
22222
2222
222
22
2
11111111
1111111
111111
11111
1111
111

explorer
exchange
customer
cluster
nobody
codeword
codename
changeme
desktop
security
secure
public
system
shadow
office
supervisor
superuser
share
super
secret
server
computer
owner
backup
database
lotus
oracle
business
manager
tạm thời
ihavenopass
nothing
nopassword
nopass
Internet
Internet
example
sample
love123
boss123
work123
home123
mypc123
temp123
test123
qwe123
abc123
pw123
root123
pass123
pass12
pass1
admin123
admin12
admin1
password123
password12
password1

9999
999
99
9
11
first
00000000
0000000
00000
0000
000
00
0987654321
987654321
87654321
7654321
654321
54321
4321
321
21
twelfth
fuck
zzzzz
zzzz
zzz
xxxxx
xxxx
xxx
qqqqq
qqqq
qqq
aaaaa
aaaa
aaa
sql
file
web
foo
job
home
work
intranet
controller
killer
games
private
market
coffee
cookie
forever
freedom
student
account
academia
files
windows
monitor
không rõ
anything
letitbe
letmein
domain
access
money

campus
default
foobar
foofoo
temptemp
temp
testtest
kiểm TRA
rootroot
root
adminadmin
mypassword
mypass
pass
Login
login
Password
password
passwd
zxcvbn
zxcvb
zxccxz
zxcxz
qazwsxedc
qazwsx
q1w2e3
qweasdzxc
asdfgh
asdzxc
asddsa
asdsa
qweasd
qwerty
qweewq
qwewq
nimda
administrator
Admin
admin
a1b2c3
1q2w3e
1234qwer
1234abcd
123asd
123qwe
123abc
123321
12321
123123
1234567890
123456789
12345678
1234567
123456
12345
1234
123

Spread through mobile storage devices

When executing the spread through these devices, they will duplicate themselves under the following names:

 : RECYCLERS - <% d%> - <% d%> -% d%> -% d%> -% d%> -% d%>. Vmx, 

And at the same time, create the following * .inf file on all devices:

 : autorun.inf 

Whenever the system's Explorer process performs access to the storage device, they are automatically activated and spread.

Learn about Payload method

On the other hand, each time they operate, they will automatically insert the code into the spaces in the system address - svchost.exe is being activated. And this code will provide their main payload function, at the same time:

- Turn off the following services: wuauserv, BITS

- Preventing, blocking access to addresses containing any of the strings listed below:

indowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32
f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus

At the same time, they can also download more files from the following paths:

 http://// search? q = <% rnd2%> 

Where rnd2 is random numbers, and this URL is generated by special algorithms related to the system date and time. In fact, they get information about system time through 1 of the following pages:

1. http://www.w3.org
2. http://www.ask.com
3. http://www.msn.com
4. http://www.yahoo.com
5. http://www.google.com
6. http://www.baidu.com

These files are downloaded and saved in the Windows system directory under their original names.

Ways to remove

If the victim's computer is not updated with the full antivirus program (or worse, there is no security application at all), people should think about using a separate support tool or method. Following craft:

- Find and delete the following registry key:

 [HKLMSYSTEMCurrentControlSetServicesnetsvcs] 

- Continue to find and delete the % System% .dll value string in the following key:

 [HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvcHost] 
 "netsvcs" 

- Restart the computer

- Delete their original file, depending on the severity of infection or light, the number and location of their spreads are also different

- Also delete their copies at the following directories:

 % System% dir.dll 
 % Program Files% Internet Explorer.dll 
 % Program Files% Movie Maker.dll 
 % All Users Application Data% .dll 
 % Temp% .dll 
 % System% tmp 
 % Temp% .tmp 

In it is a random string.

- Delete files created in storage devices, for example:

 : autorun.inf 
 : RECYCLERS - <% d%> - <% d%> -% d%> -% d%> -% d%> -% d%>. Vmx, 

- Update patches for the operating system in use.

- Always fully update the virus identification database for the security program in use, and also perform periodic system scanning cycles.

- Only use reputable security programs and clear origin, you can learn and refer here.