Net-Worm.Win32.Kido.ih spreads mainly via local networks and removable storage media. This Win32.kido worm copies itself automatically to remote computers by creating temporary files with random extension. Follow the steps and tools given below to remove Net-Worm.Win32.Kido.ihworm/ rootkit completely.

More details of this Win32.Kido.ih Worm

The program itself is a Windows PE DLL file and unlike other worms it’s size could vary from 155KB to 165KB. Also this rootkit is packed using UPX.

How to locate this worm ?

Check the following windows location, where the worm automatically copies its exe files with random names.

%System%\<random>dir.dll
%Program Files%\Internet Explorer\<random>.dll 
%Program Files%\Movie Maker\<random>.dll 
%All Users Application Data%\<random>.dll 
%Temp%\<random>.dll 
%System%\<random>tmp 
%Temp%\<random>.tmp

Removal of NetWorm-Win32-Kido.ih

You can use the free rootkit removal tools listed in our RootKit Removal article for removing this worm completely or follow the manual steps below.

Manual steps for removing NetWorm Win32.Kido.ih Worm

Delete the registry key from

[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

Delete “%System%\<random>.dll” from system registry key value shown below:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"

Reboot the system.

Delete the original worm file and it’s copies from the windows location show before.

Delete autorun files and .exe files located in removable storage [usb flash/pen drives]

<K>:\autorun.inf

<K>:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\<random>.vmx

Update your current antivirus databases and perform a full scan of the computer to remove NetWorm Win32.Kido.ih (or you can download latest Kaspersky AntiVirus 2010 or Norton Antivirus 2009 for fee).

If you like this post then please Tweet this or Subscribe to the latest updates on this post through Email by CLICKING HERE.