net-worm.win32.kido.dq Problem

Posted on 2009-02-11
Last Modified: 2013-11-22
Hi All,

My network has been infected with the net-worm.win32.dq or conficker worm and we are having a problem with a machine broadcasting this worm across the whole network and trying to infect other machines. We have patched all of our machines (or belive we have) with the microsoft patch and our anti virus is up to date and working, however this is still being broadcast. The problem is that I cannot trace where this broadcast is coming from, is there any tools etc...or knowledge you can share with me to help trace this broadcast?

Below is the message my machines receive when this rogue machine tries to send it...however no record is made of where it came from.


Event Type:	Warning

Event Source:	Anti-Virus

Event Category:	None

Event ID:	0

Date:		11/02/2009

Time:		09:05:45

User:		N/A

Computer:	RATS


Net-Worm.Win32.Kido.dq has been found in


11/02/2009 09:05:45


For more information, see Help and Support Center at

Open in new window

Question by:brookesm
    LVL 7

    Expert Comment

    by:Ned Ramsay
    Any machine not already patched could be sending and if it isnt patched and cleaned it can be re-infected as soon as it boots. The only safe way to truly do this is:
    Update your AV. Disconnect the network from it. Clean the pc, Patch it (best with a CD as it will infect any usb device or mapped drive). Reboot.
    Only after it is rebooted will the patch actually be applied. So there is no point cleaning it with the patch etc while it is still on the network.
    Once steps above are complete, re-connect network.
    LVL 6

    Expert Comment

    hi there,

    the same happened to our enterprise domain.

    a Stopped BITS service is the conficker worm's common characteristic. if you find any PC with a stopped BITS Service, this is sure infected.

    1. the very first  thing you could do is isolate the network segment/PC wherein the infection is positive.
    2. run mcfee's latest Stinger version.

    3. the document attached herewith helps you stop the word from spreading. (see attached pdf file.) run through this document, it will help you understand how the conficker worm attacks and how it will be stopped.


    LVL 12

    Expert Comment

    LVL 15

    Accepted Solution


    The key to solve unknown sources of infections is sniffing the traffic. So you have many options here:

    1) Install Wireshark and sniff the traffic from a SPAN Port (monitoring port on the switch), and upload the pcap file here to inspect it.

    Download from here (

    2) You can setup a Snort IDS box, to detect intrusions and malicious traffic in your network. Downdup/Conficker can be detected by Snort signatures.

    Download it from here for Linux ( or Windows (

    Read some docs on how to install/run it (

    Good Luck,

    A Symantec Certified Specialist @ your service
    LVL 23

    Assisted Solution

    As advised above sniffing the traffic can help alot pinpointing the offending machine.
    once you identify the culprit machine , check this tool 
    also you may want to scan using MBSA for any unmpatched machines 


    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
    This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now