We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

net-worm.win32.kido.dq Problem

Medium Priority
1,037 Views
Last Modified: 2013-11-22
Hi All,

My network has been infected with the net-worm.win32.dq or conficker worm and we are having a problem with a machine broadcasting this worm across the whole network and trying to infect other machines. We have patched all of our machines (or belive we have) with the microsoft patch and our anti virus is up to date and working, however this is still being broadcast. The problem is that I cannot trace where this broadcast is coming from, is there any tools etc...or knowledge you can share with me to help trace this broadcast?

Below is the message my machines receive when this rogue machine tries to send it...however no record is made of where it came from.

Regards

Natalie
Event Type:	Warning
Event Source:	Anti-Virus
Event Category:	None
Event ID:	0
Date:		11/02/2009
Time:		09:05:45
User:		N/A
Computer:	RATS
Description:
Net-Worm.Win32.Kido.dq has been found in
C:\WINDOWS\system32\kfuuif.k
11/02/2009 09:05:45
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

Comment
Watch Question

Ned RamsayNetwork Operations Manager

Commented:
Any machine not already patched could be sending and if it isnt patched and cleaned it can be re-infected as soon as it boots. The only safe way to truly do this is:
Update your AV. Disconnect the network from it. Clean the pc, Patch it (best with a CD as it will infect any usb device or mapped drive). Reboot.
Only after it is rebooted will the patch actually be applied. So there is no point cleaning it with the patch etc while it is still on the network.
Once steps above are complete, re-connect network.

Commented:
hi there,

the same happened to our enterprise domain.

a Stopped BITS service is the conficker worm's common characteristic. if you find any PC with a stopped BITS Service, this is sure infected.

1. the very first  thing you could do is isolate the network segment/PC wherein the infection is positive.
2. run mcfee's latest Stinger version.

http://vil.nai.com/vil/stinger/

3. the document attached herewith helps you stop the word from spreading. (see attached pdf file.) run through this document, it will help you understand how the conficker worm attacks and how it will be stopped.

Regards,


Problem-Description-Conficker.pdf
Commented:
Hi,

The key to solve unknown sources of infections is sniffing the traffic. So you have many options here:

1) Install Wireshark and sniff the traffic from a SPAN Port (monitoring port on the switch), and upload the pcap file here to inspect it.

Download from here (http://www.wireshark.org/download.html)

2) You can setup a Snort IDS box, to detect intrusions and malicious traffic in your network. Downdup/Conficker can be detected by Snort signatures.

Download it from here for Linux (http://www.snort.org/dl/) or Windows (http://www.snort.org/dl/binaries/win32/)

Read some docs on how to install/run it (http://www.snort.org/docs/)


Good Luck,

A Symantec Certified Specialist @ your service

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Mohamed OsamaSenior IT Consultant
CERTIFIED EXPERT
Commented:
As advised above sniffing the traffic can help alot pinpointing the offending machine.
once you identify the culprit machine , check this tool 
KidoKill
also you may want to scan using MBSA for any unmpatched machines 



Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.