Kido (aka Conficker, Downadup) FAQ

What is Kido?

Kido (aka Conficker or Downadup) was first detected in November 2008 as a worm which spreads across local networks and removable storage media. The latest generation of Kido is unable to spread by itself, but like earlier variants, it can update itself by downloading additional code.

Kido has created a powerful botnet of infected machines. It was programmed to update itself on 1st April 2009, and the latest generation of this program is designed to generate 50,000 domain names according to a random algorithm, and then choose 500 of these domains which it can potentially contact to update itself. Kido uses very sophisticated technology. It downloads updates from constantly changing online resources; uses P2P networks as an additional source of downloads; uses strong encryption to prevent interference with its command and control center; and prevents antivirus products from receiving updates.

It remains unclear why the Kido botnet has been created, and how it may be used in the future.

Why is Kido a threat?

The huge botnet formed by computers infected by Kido potentially provides cybercriminals with the means to conduct mass DDoS attacks on any Internet resource, to steal confidential data from infected computers and to distribute unsolicited content (e.g. mass spam mailings). It is believed that around five to six million computers around the world are infected by Kido.

Kido initially spread via local networks and removable storage devices. Specifically, it exploited the critical MS08-067 vulnerability patched by Microsoft back in October 2008. However, it’s believed that a significant number of PCs had not been patched by January 2009 when the spread of Kido reached a peak.

More detailed information on how Kido penetrates computers can be found here:

How can I prevent a Kido infection?

Kaspersky Lab products can protect systems from infection by all variants of Kido. Ensure you have enabled automatic product update (enabled by default) and conduct a full system scan. Although Kaspersky Internet Security protects unpatched computers from infection, you should still check that you have installed all the latest Windows security updates (especially MS08-067).

How do I know if my PC is infected?

If there are any infected computers on your LAN, the volume of network traffic will increase due to a network attack conducted by infected computers. Antivirus applications with an enabled firewall will report an Intrusion.Win.NETAPI.buffer-overflow.exploit attack.

If you suspect that your computer is infected, try to open your browser and navigate to your favorite search engine. If the page opens, try to open www.kaspersky.com or www.microsoft.com – if the page does not open, then the site has probably been blocked by a malicious program. The full list of resources blocked by Kido can be found here.

I am a LAN administrator. How can I contain and disinfect a Kido infection?

You can remove Kido with the help of a dedicated utility, KK.exe. To prevent workstations and network servers from becoming infected you should:

  • Install patches for the MS08-067, MS08-068 and MS09-001 vulnerabilities.
  • Make sure you have a strong administrator password – it should have a minimum of six characters, including upper case, lower case, numbers and non alphanumeric characters. Disable autorun for all removable media. Disable Task Scheduler.

If you are using KK.exe to remove Kido, you should run this application manually on all infected PCs.

How can I remove Kido if I am a home user?

Download the latest version of the removal tool (in the 'To remove the virus locally' section) and unpack it to a separate folder on the infected PC. Run KK.exe. When the scan is finished, a command line window may still be open; simply press any key to close it.

If you are running KK.exe on a computer which has Agnitum Outpost Firewall installed, you should reboot the computer once the KK.exe utility has finished running.

Recommendations for removing Kido are also available on the Kaspersky Lab technical support site.

  04.01.2009