Fandom

Malware Wiki

Kido (Family)

1,346pages on
this wiki
Add New Page
Comments0 Share

Net-Worm.Win32.Kido or Kido is a network worm on Microsoft Windows that attempts to breach network accounts.

Kido.ih

Net-Worm.Win32.Kido.ih or Kido.ih is the first variant in this family, it spreads through Network connections and removable viruses.

Installation

The worm generates a random string of symbols, and creates files with that name. It is represented in this list by <rnd>.

%System%\<rnd>
%Program Files%\Internet Explorer\<rnd>.dll 
%Program Files%\Movie Maker\<rnd>.dll 
%All Users Application Data%\<rnd>.dll 
%Temp%\<rnd>.dll 
%Temp%\<rnd>.tmp

After that, it will create the following registry key to ensure it is started on system bootup.

[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

The worm also modifies the following registry key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "<original value> %System%\<rnd>.dll"

Distribution

The worm creates a HTML server on a random TCP port. This is used to install the worm onto other computers. The worm then recieves a list of IP addresses of the computers in the same network as the victim machine. It then uses buffer overflow MS08-067 in the server service to attack said machines.

When netapi32.dll executes the the wcscpy_s function, it will cause a buffer overflow allowing the malicious code to be run on the machine. It will then attempt to brute force the administrator account by using the passwords below.

99999999
9999999
999999
99999
88888888
8888888
888888
88888
8888
888
88
8
77777777
7777777
777777
77777
7777
777
77
7
66666666
6666666
666666
66666
6666
666
66
6
55555555
5555555
555555
55555
5555
555
55
5
44444444
4444444
444444
44444
4444
444
44
4
33333333
3333333
333333
33333
3333
333
33
3
22222222
2222222
222222
22222
2222
222
22
2
11111111
1111111
111111
11111
1111
111
explorer
exchange
customer
cluster
nobody
codeword
codename
changeme
desktop
security
secure
public
system
shadow
office
supervisor
superuser
share
super
secret
server
computer
owner
backup
database
lotus
oracle
business
manager
temporary
ihavenopass
nothing
nopassword
nopass
Internet
internet
example
sample
love123
boss123
work123
home123
mypc123
temp123
test123
qwe123
abc123
pw123
root123
pass123
pass12
pass1
admin123
admin12
admin1
password123
password12
password1
9999
999
99
9
11
1
00000000
0000000
00000
0000
000
00
0987654321
987654321
87654321
7654321
654321
54321
4321
321
21
12
fuck
zzzzz
zzzz
zzz
xxxxx
xxxx
xxx
qqqqq
qqqq
qqq
aaaaa
aaaa
aaa
sql
file
web
foo
job
home
work
intranet
controller
killer
games
private
market
coffee
cookie
forever
freedom
student
account
academia
files
windows
monitor
unknown
anything
letitbe
letmein
domain
access
money
campus
default
foobar
foofoo
temptemp
temp
testtest
test
rootroot
root
adminadmin
mypassword
mypass
pass
Login
login
Password
password
passwd
zxcvbn
zxcvb
zxccxz
zxcxz
qazwsxedc
qazwsx
q1w2e3
qweasdzxc
asdfgh
asdzxc
asddsa
asdsa
qweasd
qwerty
qweewq
qwewq
nimda
administrator
Admin
admin
a1b2c3
1q2w3e
1234qwer
1234abcd
123asd
123qwe
123abc
123321
12321
123123
1234567890
123456789
12345678
1234567
123456
12345
1234
123

Spreading Routine

The worm will find connected devices [labelled here as <USB>], and drop the file onto the disk.

<USB>:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\<rnd>.vmx,

It will also add information to autorun.inf to ensure the worm is always run when the removable device is plugged into the system. However if one edits the file or deletes it, the file cannot spread.

Payload

The worm injects its own code into one of the several svchost processes. It then does the following.

  • Disables the following services:
wuauserv
BITS
  • Blocks any addresses containing the following strings
indowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32
f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus
  • Download files from the following URL.
http://<URL>/search?q=<%rnd2%>
  • Retrieve the date and time using a special algorithm from the following addresses.
http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com

Kido.ir

Net-Worm.Win32.Kido.ir or Kido.ir is a virus that spreads through removable devices.

Once a removable device is plugged into the infected system, it will implant the following code into the Autorun.inf file.

[AUTorUN] AcTION = Open folder to view files icon =% 
syStEmrOot% \ sySTEM32 \ 
sHELL32.Dll, 4 OpEn = RunDll32.EXE. \ RECYCLER \ S-5-3-42-
2819952290-8240758988-
879315005-3665 \ jwgkvsq. vmx, ahaezedrn sHEllExECUTe = 
RUNdLl32.ExE. \ RECYCLER \
S-5-3-42-2819952290-8240758988-879315005-3665 \ 
jwgkvsq.vmx, ahaezedrn useAuTopLAY = 1

The autorun script prints the following sentence on the screen when the autorun.inf file is executed.

Open folder to view files

Trojan-Downloader.Win32.Kido.a


This malicious program varies from other members of the Kido family, as it is not a Network worm, it is in fact a trojan downloader.

Behaviour

First, it generates a random string and copies itself with the string as the name, here the random string is represented as <rnd>

%Program Files%\Internet Explorer\<rnd>.dll
%Program Files%\Windows Media Player\<rnd>.dll
%Program Files%\WindowsNT\<rnd>.dll
%Program Files%\Movie Maker\<rnd>.dll
%SpecialFolder%\<rnd>.dll
%System%\<rnd>dir.dll
%Temp%\<rnd>.dll

To ensure it is run on startup, it implants the following key into the registry. It also deletes the following keys, which will disable Action Center, safe mode and other secuirity solutions.

[HKLM\System\CurrentControlSet\Control\SafeBoot] 
[HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\
ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender]

It modifies the following key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "<original value><name of Trojan service>"

The name of the service which is displayed on Task Manager is made out of the following strings.

Policy
Discovery
Storage
Power
Logon
Machine
Browser
Management
Framework
Component
Trusted
Backup
Notify
Audit
Control
Hardware
Windows
Update
Universal
Task
Support
Shell
Security
Network
Monitor
Microsoft
Manager
Installer
Image
Helper
Driver
Config
Center
Boot

The name of the service which is displayed in Task Manager is made up of words from the list below:

Time
System
svc
Svc
srv
Srv
Service
Server
serv
prov
mon
mgmt
man
logon
auto
agent
access

It also includes words from this list:

xml
wuau
wsc
Wmi
Wmdm
win
W32
Trk
Tapi
Sec
Remote
Ras
Ntms
Net
Lanman
Ias
help
Event
Audio
App

The malware creates its own unique indentifier.

Payload

If the trojan does not find the following directories, the trojan will cease running, otherwise the trojan will continue running.

Adobe
Agent
App
Assemblies
assembly
Boot
Build
Calendar
Collaboration
Common
Components
Cursors
Debug
Defender
Definitions
Digital
Distribution
Documents
Downloaded
en
Explorer
Files
Fonts
Gallery
Games
Globalization
Google
Help
IME
inf
Installer
Intel
Inter
Internet
Java
Journal
Kernel
L2S
Live
Logs
Mail
Maker
Media
Microsoft
Mobile
Modem
Movie
MS
msdownld
NET
New
Office
Offline
Options
Packages
Pages
Patch
Performance
Photo
PLA
Player
Policy
Prefetch
Profiles
Program
Publish
Reference
Registered
registration
Reports
Resources
schemas
Security
Service
Setup
Shell
Software
Speech
System
Tasks
Temp
tmp
tracing
twain
US
Video
Visual
Web
winsxs
Works
Zx

The trojan will then look for and terminate the following services:

Windows Automatic Update Service (wuauserv) 

Background Intelligent Transfer Service (BITS) 

Windows Security Center Service (wscsvc) 

Windows Defender Service (WinDefend, WinDefender) 
 
Windows Error Reporting Service (ERSvc) 

Windows Error Reporting Service (WerSvc)

It modifies the original start value for these services:

"Start" ="dword:0x00000004"

The trojan injects its own code into the following executables

svchost.exe 

explorer.exe (if injection into svchost.exe is not successful) 

services.exe (for Windows 2000)

This code allows the payload to take place. The trojan then hooks API calls from dnsrslvr.dll to block access to the following domains.

DNS_Query_A
 
DNS_Query_UTF8
 
DNS_Query_W
 
Query_Main 

sendto 

NetpwPathCanonicalize

InternetGetConnectedState

It blocks access to domains contaning the following strings

vet.
sans.
nai.
msft.
msdn.
llnwd.
llnw.
kav.
gmer.
cert.
ca.
bit9.
avp.
avg.
windowsupdate
wilderssecurity
virus
virscan
trojan
trendmicro
threatexpert
threat
technet
symantec
sunbelt
spyware
spamhaus
sophos
secureworks
securecomputing
safety.live
rootkit
rising
removal
quickheal
ptsecurity
prevx
pctools
panda
onecare
norton
norman
nod32
networkassociates
mtc.sri
msmvps
msftncsi
mirage
microsoft
mcafee
malware
kaspersky
k7computing
jotti
ikarus
hauri
hacksoft
hackerwatch
grisoft
gdata
freeav
free-av
fortinet
f-secure
f-prot
ewido
etrust
eset
esafe
emsisoft
dslreports
drweb
Defender
cyber-ta
cpsecure
conficker
computerassociates
comodo
clamav
centralcommand
ccollomb
castlecops
bothunter
avira
avgate
avast
arcabit
antivir
anti-
ahnlab
agnitum

It terminates all processes containing the following strings:

wireshark
unlocker
tcpview
sysclean
scct_
regmon
procmon
procexp
ms08-06
mrtstub
mrt.
mbsa.
klwk
kido
kb958
kb890
hotfix
gmer
filemon
downad
confick
avenger
autoruns

It also blocks the following domains:

netlog.com
yandex.ru
zedo.com
doubleclick.com
2ch.net
allegro.pl
hi5.com
seznam.cz
ebay.com
odnoklassniki.ru
myspace.com
go.com
yahoo.com
fastclick.com
sourceforge.net
comcast.net
wikimedia.org
miniclip.com
mininova.org
facebook.com
adultadworld.com
4shared.com
skyrock.com
biglobe.ne.jp
download.com
youpo**.com
adultfriendfinder.com
nicovideo.jp
rambler.ru
foxnews.com
terra.com.br
zshare.net
bigpoint.com
yahoo.co.jp
dell.com
ziddu.com
livejournal.com
mixi.jp
rediff.com
youtube.com
mywebsearch.com
tube8.com
xha******.com
naver.com
tribalfusion.com
narod.ru
hyves.nl
xiaonei.com
clicksor.com
adsrevenue.net
mail.ru
files.wordpress.com
tinypic.com
ebay.it
digg.com
linkbucks.com
imdb.com
tagged.com
nba.com
msn.com
blogfa.com
recvfrom
livedoor.com
linkedin.com
kaixin001.com
reference.com
megapo**.com
torrentz.com
orange.fr
geocities.com
pcpop.com
paypopup.com
fc2.com
partypoker.com
ask.com
googlesyndication.com
badongo.com
goo.ne.jp
aweber.com
answers.com
espn.go.com
seesaa.net
metroflog.com
aim.com
megaclick.com
metacafe.com
netflix.com
sonico.com
photobucket.com
awempire.com
depositfiles.com
imageshack.us
gougou.com
po**hub.com
mediafire.com
typepad.com
imeem.com
perfspot.com
56.com
soso.com
ameba.jp
friendster.com
google.com
tuenti.com
imagevenue.com
taringa.net
badoo.com
disney.go.com
livejasmin.com
multiply.com
ucoz.ru
flickr.com
mapquest.com
ameblo.jp
pogo.com
apple.com
cricinfo.com
ebay.co.uk
studiverzeichnis.com
vkontakte.ru
wordpress.com
rapidshare.com
wikimedia.org
icq.com
xnxx.com
veoh.com
ning.com
pconline.com.cn
tudou.com
sakura.ne.jp
fotolog.net
bbc.co.uk
conduit.com
vnexpress.net
ebay.de
craigslist.org
live.com
xvideos.c0m (.com)
ioctlsocket
tianya.cn
alice.it
bebo.com
verizon.net
megaupload.com
kooora.com
thepiratebay.org

Main Payload

It retrieves files from the following domain (<rnd2> being a random number)

http://<URL>/search?q=<%rnd2%>

It will choose a domain from the list below.

vn
vc
us
tw
to
tn
tl
tj
tc
su
sk
sh
sg
sc
ru
ro
ps
pl
pk
pe 
no 
nl 
nf 
my 
mw 
mu 
ms 
mn 
me
md 
ly 
lv 
lu 
li 
lc 
la 
kz 
kn 
is
ir
in 
im 
ie 
hu 
ht 
hn 
hk 
gy
gs 
gr
gd
fr
fm 
es 
ec 
dm 
dk 
dj 
cz 
cx
cn
cl
ch
cd
ca
bz
bo
be
at
as
am
ag
ae
ac
com.ve
com.uy
com.ua
com.tw
com.tt
com.tr
com.sv
com.py
com.pt
com.pr
com.pe
com.pa
com.ni
com.ng
com.mx
com.mt
com.lc
com.ki
com.jm
com.hn
com.gt
com.gl
com.gh
com.fj
com.do
com.co
com.bs
com.br
com.bo
com.ar
com.ai
com.ag
co.za
co.vi
co.uk
co.ug
co.nz
co.kr
co.ke
co.il
co.id
co.cr

The trojan generates 50000 domain names every day, skipping the address groups below.

127.x.x.x
169.254.x.x
x.198.x.x
x.255.255.253
224-239.x.x.x
240-255.x.x.x

Furthermore, the trojan blacklists 399 IP addresses linked to secuirity companies. It retrieves the date from one of the following domains.

http://www.w3.org

http://www.ask.com

http://www.yahoo.com

http://www.google.com

http://www.baidu.com

http://www.rapidshare.com

http://www.imageshack.us

http://www.facebook.com

Other variants coming soon

Sources

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.