With Knowledge, We Can Do Anything Easily


Detected Nov 02 2009 05:35 GMT

Released Nov 02 2009 10:31 GMT

Published Dec 14 2009 12:35 GMT

Technical Details

The kido worm family creates files autorun.inf and RECYCLED\{SID<….>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)

Net-Worm.Win32.kido.ir is a windows startup script (AUTORUN.INF file). The size of the file is between 59,284 to 95,034 bytes. Not packed.


When an infected removable storage media is connected to an autorun enabled computer, this script starts the kido worm.

The content of the autorun script is obfuscated with a ransom set of characters.

Once unobfuscated, the autorun script looks like this:

[AUTorUN] AcTION = Open folder to view files icon =%
syStEmrOot% \ sySTEM32 \
sHELL32.Dll, 4 OpEn = RunDll32.EXE. \ RECYCLER \ S-5-3-42-
879315005-3665 \ jwgkvsq. vmx, ahaezedrn sHEllExECUTe =
S-5-3-42-2819952290-8240758988-879315005-3665 \
jwgkvsq.vmx, ahaezedrn useAuTopLAY = 1

We learn from this script that the original worm dll is located in the following folder on the removable media:

. \ RECYCLER \ S-5-3-42-2819952290-8240758988-879315005-
3665 \ jwgkvsq.vmx

The autorun script displays the following sentence “Open folder to view files” on an english Windows.

Removal instructions

If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:

  1. Delete the files shown below from all removable storage media:
  2. Download and install updates for the operating system:
  3. Disable Autorun on the computer.
  4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

(Dikutip dari http://www.securelist.com/en/descriptions/12524577/Net-Worm.Win32.Kido.ir#doc2 tanpa terjemahan)

%d bloggers like this: