Announcement

Collapse
No announcement yet.

server infected with win32.kido.if worm

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • server infected with win32.kido.if worm

    Hello,

    win32.kido.if worm has entered my Windows server 2003 with SP2 server which is running Exchange 2003.

    How can I remove above virus?

    I did methods mentioned by Gooling like edit registry but no use.

    Problem is I am not able to ping my serer.
    Worm is enabling WIndows firewall.

    ANy quick help please?

    I also tried running Microsoft's malicious software remover tool for this worm no use..Plese help!! my mail server is down since last 4 hours due to the virus

    Regards,
    Amey.
    All in 1
    Solaris,Linux & Windows admin + networking.

  • #2
    Re: server infected with win32.kido.if worm

    A quick response first of all. Make sure you have disconnected it from the network.

    Comment


    • #3
      Re: server infected with win32.kido.if worm

      Have you tried running this?

      http://www.softpedia.com/progDownloa...ad-119395.html

      Comment


      • #4
        Re: server infected with win32.kido.if worm

        Originally posted by Virtual View Post
        A quick response first of all. Make sure you have disconnected it from the network.
        Yes done....No havent tried that tool...SO fasr scan is in process with spyware doctor will use that small tool once spyware doctor finishes scanning.

        I am in Safe Mode.

        Thanx for quick reply again ...
        All in 1
        Solaris,Linux & Windows admin + networking.

        Comment


        • #5
          Re: server infected with win32.kido.if worm

          Update: I tried that tool it found no infection. I am not able to see LAN connection. How ever after adding 2 MS updates I am getting ping response. MTA stacks service not able to start.
          All in 1
          Solaris,Linux & Windows admin + networking.

          Comment


          • #6
            Re: server infected with win32.kido.if worm

            The real question is not how to remove this worm/virus but to what extent the damage has been done?
            You might be lucky if it hasn't been already infected with any rootkits in which case you'll need to use a scanner for that as well. I'd just do it anyway. (http://technet.microsoft.com/en-gb/s.../bb897445.aspx)
            I would make sure you use a decent AV and it's definitions are fully up to date.
            Then do a full virus scan, RK scan, AntiSpyware and what have you.
            Once all done and clear make sure the server is fully patched.

            Ta
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: server infected with win32.kido.if worm

              I'd be asking how the virus got on the server in the first place.

              IMO you remove all important data from the machine and rebuild.

              Comment


              • #8
                Re: server infected with win32.kido.if worm

                Originally posted by wullieb1 View Post
                I'd be asking how the virus got on the server in the first place.

                IMO you remove all important data from the machine and rebuild.
                win32.kido varient is a pure network virus I beleive after experiencing the disaster.
                There are about 200 workstations and can't say how and from when virus came in. Kaspersky fixed it on all workstations and on server but on this server, it didnt's.

                That damn worm also damaged my AD. Several users reported "account lockout" problem. Yes it was a infection due to that virus. I read it in one article yesterday while troubleshooting.

                Problem is now solved. Steps I taken as follows :

                -I downloaded symantec's win32 virus remover kit, it found nothing but I got 1 good MS update.
                - The update number I can't remember.
                - I booted my server in Safe Mode
                - Disabled all Exchange services
                - Performed clean of temp files, applied that MS update
                -It worked. I was able to see Local Area Connection icon in task bar and everything was going smooth how ever presence of virus is still there in my network.
                _ enabled all Exchange services 1 by 1 once server booted in to normal mode.
                - I used Wireshark to see flow of *some extra* UDP packets across my network.

                Now everything is fine.
                User's who reading this thread may keep eye on that virus. It's a bad network worm/varient.

                Thanx to all for quick suggesions.

                Regards,
                Amey.
                Last edited by sco1984; 3rd March 2009, 09:48.
                All in 1
                Solaris,Linux & Windows admin + networking.

                Comment


                • #9
                  Re: server infected with win32.kido.if worm

                  Thanks for the update. Glad your server was not badly effected (or not at all) as the case. Worms generally always spread using the network. You still need to make sure you monitor your network and other PCs and reimage them as appropriate. Some worms don't really cause any damage but may leave something behind to be used for a botnet, may never do anything, was used purely as the designer could do it or may cause even more damage.

                  I would recommend using MBSA to ensure all computes are fully patched. Make sure all virus definitions are up-to-date and make sure your AV has or you install alongside a form of anti-spyware. Also, make sure there is a host firewall activated.

                  Comment

                  Working...
                  X