Step by step wormanup, kido for Win XP

Published in Work - on Apr 23, 2009 - Comment Off

Our school get annoying worm which cause slow internet connection and make it dificult to access major anti virus website. Finally we found out the name :

  • Worm.Conficker [PCTools]
  • W32.Downadup [Symantec]
  • Net-Worm.Win32.Kido.ih [Kaspersky Lab]
  • W32/Conficker.worm [McAfee]
  • W32/Confick-A [Sophos]
  • Worm:Win32/Conficker.A [Microsoft]
  • Worm.Win32.Conficker [Ikarus]

Scan Infected computers

To detect it from network we use mikrotik tools ‘torch’ and pointing it to port 445 :

445

Source address of infected computer easily found using torch.

Using FreeBSD I use ipaudit from ports :

# ipaudit -S -p445 -e vge2

vge2 is lancard name of gigabit ethernet

result this report :

172.88.2.91 204.9.117.33 6 2472 445  0 124 0 2  000c421a264a  001bfc184f7c
172.88.2.91 204.82.181.68 6 2520 445  0 62 0 1  000c421a264a  001bfc184f7c
172.88.2.91 205.114.221.5 6 2404 445  0 124 0 2  000c421a264a  001bfc184f7c
172.88.2.91 209.12.61.105 6 2470 445  0 124 0 2  000c421a264a  001bfc184f7c
172.88.2.91 209.104.160.79 6 2445 445  0 124 0 2  000c421a264a  001bfc184f7c
172.88.2.91 211.99.189.88 6 2473 445  0 62 0 1  000c421a264a  001bfc184f7c
172.88.2.91 212.28.165.110 6 2523 445  0 62 0 1  000c421a264a  001bfc184f7c
172.88.2.91 215.33.181.61 6 2495 445  0 62 0 1  000c421a264a  001bfc184f7c
172.88.2.91 217.106.15.31 6 2498 445  0 62 0 1  000c421a264a  001bfc184f7c
172.88.2.91 221.93.208.46 6 2501 445  0 62 0 1  000c421a264a  001bfc184f7c
172.88.2.91 222.117.21.115 6 2444 445  0 124 0 2  000c421a264a  001bfc184f7c

172.88.2.113 211.24.71.27 6 2783 445  0 124 0 2  000c421a264a  0019215ed9f0
172.88.2.113 211.87.202.27 6 2652 445  0 62 0 1  000c421a264a  0019215ed9f0
172.88.2.113 211.114.103.46 6 2787 445  0 124 0 2  000c421a264a  0019215ed9f0
172.88.2.113 213.45.200.31 6 2728 445  0 62 0 1  000c421a264a  0019215ed9f0
172.88.2.113 213.73.144.24 6 2813 445  0 124 0 2  000c421a264a  0019215ed9f0
172.88.2.113 215.105.97.61 6 2915 445  0 62 0 1  000c421a264a  0019215ed9f0
172.88.2.113 217.77.57.113 6 2777 445  0 124 0 2  000c421a264a  0019215ed9f0
172.88.2.113 217.81.23.90 6 2906 445  0 62 0 1  000c421a264a  0019215ed9f0
172.88.2.113 219.95.185.28 6 2695 445  0 62 0 1  000c421a264a  0019215ed9f0
172.88.2.122 172.88.3.255 17 137 137  0 184 0 2  ffffffffffff  001921572a28
172.88.2.123 172.111.44.96 6 4749 445  0 62 0 1  000c421a264a  001921e03ba9

What to do next?

1. Disinfect infected computer

Using kidokiller utility from kaspersky, download from here.

Run it to find and cure it.

cure_kido

Prevent next attack

Minimum patch needed to install in our Win XP computer :

  1. MS08-067
  2. MS08-068
  3. MS09-001

How do we know if that patch already installed?

Click  Start -> Setting -> Control Panel -> Add or Remove Programs

Make sure to thick on ‘Show updates’

update_patch

Example of installed patch :

list_update

Is that enough?

I don’t know, I just add other security patch installed :

WindowsXP-KB938464-v2-x86-ENU.exe
WindowsXP-KB941569-x86-ENU.EXE
WindowsXP-KB946648-x86-ENU.exe
WindowsXP-KB950762-x86-ENU.exe
WindowsXP-KB950974-x86-ENU.exe
WindowsXP-KB951066-x86-ENU.exe
WindowsXP-KB951376-v2-x86-ENU.exe
WindowsXP-KB951698-x86-ENU.exe
WindowsXP-KB951748-x86-ENU.exe
WindowsXP-KB952954-x86-ENU.exe
WindowsXP-KB953155-x86-ENU.exe
WindowsXP-KB954459-x86-ENU.exe
WindowsXP-KB954600-x86-ENU.exe
WindowsXP-KB955069-x86-ENU.exe
WindowsXP-KB956802-x86-ENU.exe
WindowsXP-KB956803-x86-ENU.exe
WindowsXP-KB956841-x86-ENU.exe
WindowsXP-KB957097-x86-ENU.exe
WindowsXP-KB958644-x86-ENU.exe
WindowsXP-KB958687-x86-ENU.exe
WindowsXP-KB960225-x86-ENU.exe
WindowsXP-KB967715-x86-ENU.exe

Plus make sure to update to latest definition virus for my anti virus software.

It work well 🙂

Tags:

you might also like