How to Remove Kido / Downadup / Downup / Conficker

Kido worm also known as Downadup, Downup and Conficker is continuing to spread more rapidly than ever, even though its already several months since it was first spotted. More than 9 million PC’s have been infected and Panda Security reporting infection rates of 6% in two million computers scanned via their website. China (the probable country of origin) is the most infected.

Kido exploits a known vulnerability in Windows 2000, Windows XP, Windows Server 2003 and Windows Vista (some versions even affect Windows 7) which was patched by Microsoft in October, 08. Unfortunately, a large number of PC users never bother to install Windows updates and hence are vulnerable to Kido worm. Symantec found an interesting correlation between countries with large number of pirated Windows users and countries infected on a large scale by Kido.

Top 10 Countries Infected by Kido
Top 10 Countries Infected by Kido

Downadap or Kido is remarkable in it’s sophistication. It can infect computers even if Autoplay feature is disabled for USB devices, by pretending to be a folder. It spreads via network as well as usb devices (pen drives, mp3 players etc). It resets your system restore points, disables Windows update, Windows Defender, Windows Security Center and even manipulates certain TCP settings to block access to security websites. It is also known to change access permissions. New variants even disable Firewall and may interface with Antivirus scans.

As soon as any removable drive is interted it creates a file called autorun.inf and a folder RECYCLED (commonly used by the system to store Recycle Bin files). It then goes on to create another file {SID<....>}RANDOM_NAME.vmx inside the RECYCLED folder. Most antivirus softwares would be able to detect this *.vmx file, but once a system is infected won’t be properly able to eliminate the worm (thus you would end up with new detection everytime you insert a USB device).

Like most worms once Kido infects a machine it calls home and may download malicious files to the infected computer. What is really interesting is that, Kido uses a complicated algorithm to create a large list of new domain names everyday. The script to be downloaded may be hosted on any one of these domain names, thus making things even harder for the good guys. Kido also launches a brute force dictionary attack in order to guess the administrator password. Hence, it would be a good idea to change your administrator password to a non-dictionary word right now.

Kido worm has been dubbed as an epidemic and is the biggest worm epidemic in recent years. And it’s still evolving. Kaspersky is reporting that new variants have been spotted which further enhance the original worm’s funtionality. The new variants generate as many as 50,000 domain names everyday (compared to 250 in the older variants) from which it can download updates.

Arrow Protect yourself from Kido / Downadup / Conficker / Downup

If haven’t installed the Windows Updates and aren’t yet infected then consider yourself lucky. Install the suitable update for your system according to MS08-067, MS08-068 and MS09-001 right now.

Arrow How to Remove Kido / Downadup / Conficker / Downup

If you are already infected and if your Antivirus software can’t eliminate the worm you would need to download a removal tool offered by various security product vendors. I am listing all the major ones.

Arrow Microsoft : Windows Malicious Software Removal Tool
Arrow Kaspersky : KidoKiller
Arrow F-Secure : F-downadup (alternate link)
Arrow BitDefender : Win32.Worm.Downadup.Gen Remover Alternate link
Arrow Spywarevoid : W32.downadup.c removal tool
Arrow Symantec : W32.Downadup Remover
Arrow ESET : Conficker Remover
Arrow Sophos : Conficker Cleanup Tool

Since Kido blocks access to security websites some of these links may not work for you. Keep trying till you find one that works or use a proxy service. Once you have removed Kido go ahead and install the patches mentioned above to protect your system from furute infections.

Kido has already created a lot of trouble including affecting the U.K. Ministry of Defence and bringing down Houston Municipal Court. How much of a nuisiance this worm is can be judged from the fact that Microsoft is offering $250,000 for the conviction of the creators of the worm. What is more, most people belive that the worst is yet to come. The worm has millions of botnets under its command but hasn’t delivered the payload to any of them. Some speculate that the worm creator may deliver it to all of the infected machines on a predetermined date (dubbed Big-Bang) creating massive trouble at one go.

P.S. : Various antivirus vendors use various naming conventions for worms. I am listing the aliases provided by opular antivirus vendors :
Symantec : W32.Downadup
F-Secure : W32/Downadup.A, W32/Downadup.B etc
Panda : Conficker.A, Conficker.B etc
Kaspersky : Net-Worm.Win32.Kido.bt, Net-Worm.Win32.Kido.ip, Net-Worm.Win32.Kido.iq etc
McAffe : W32/Conficker.worm
Bitdefender : Win32.Worm.Downadup.Gen

, ,

28 Responses to How to Remove Kido / Downadup / Downup / Conficker

  1. ary March 13, 2009 at 3:20 pm #

    or try bdtools.net from bitdefender for the its last variant. I did. It was the only site this worm let me access. their removal tool really work

  2. Pallab March 13, 2009 at 4:12 pm #

    The file available from bdtools.net is same as the one I have linked to. So both of them should be able to deal with Kido worm.
    Thanks for the link though.

  3. Alex March 27, 2009 at 4:26 am #

    I have all symptoms on Vista but Removal tools eather die, or says system clean!!!

  4. Pallab March 27, 2009 at 5:55 pm #

    I believe the most definitive symptom is the presence of .vmx file on any usb device that is plugged into the system. All AV softwares should be able to detect this file and let you know if it’s kido/conficker/downadup infection.
    If you are infected the dedicated tools are your best bet. I listed as many tools as I could find so that atleast some of them can get the work done. Give them all a try. If virus removal tools are dying try running them from safe-mode.

  5. Alex March 27, 2009 at 6:06 pm #

    Hm, well I’ve run several cleaner utilities yesterday, and tried several AV’s but no-one reports anything, I even started to scan that vista partititon from XP partition which is clean, and could not detect anything, but I still can’t open microsoft.com, kaspersky.com, symantec, nod, outpost…

    However I can download those AV’s etc from alternate locations…

  6. Pallab March 27, 2009 at 6:22 pm #

    Not being able to access security websites is one of the symptoms of Kiddo, but it’s exhibited by other malwares too. The best way to check is to see if .vmx file lands up in plugged in USB devices.
    Btw, just in case check if anything is blocked in the hosts file (open it with notepad by typing C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS in Run command box)

  7. Sham April 2, 2009 at 12:12 pm #

    Nice tip:)

  8. DOWNADUP, CONFICKER , KIDO April 24, 2009 at 10:47 am #

    I Found this virus 3 days ago in my network, but i have problem that kaspersky show the following message when find this virus. “write access is denied” file: c:\windows\bkqamc.dll
    Note : my virus name is:
    Net-Worm.Win32.Kido.em
    Patch MS08-067.mspx Microsoft
    can u help me plz?

  9. Alex Pavic April 24, 2009 at 11:17 am #

    Try with utility named unlocker, you can grab it from here http://ccollomb.free.fr/unlocker/ or some similar utility to unlock that file and try to delete that file manually. Hope that helpz!

    Alex Pavic’s last blog post..how to test is variable even/odd in a loop and how to alternate row colors in table

  10. ary April 24, 2009 at 7:01 pm #

    try http://www.disinfecttools.com, the new location of the removal tool for the new conficker variant that is not yet blocked by the virus (bdtools.net is now). BitDefender moved quick 😉

  11. Pallab April 24, 2009 at 7:32 pm #

    Thanks. Link updated

  12. Pallab April 24, 2009 at 7:33 pm #

    Unfortunately its not as simple as removing a couple of files using unlocker.

  13. Pallab April 25, 2009 at 8:40 pm #

    did you try out the disinfection tools i mentioned in this post?

  14. Kay May 7, 2009 at 8:46 am #

    I have all the symptoms of this worm, but when I tried the BitDefender tool, it didn’t work. It says that the scan was clean! What can I do now? I’m not really proficient with computers…. :(

  15. Rudi Bedy May 7, 2009 at 2:07 pm #

    I would recomend to download and burn the BitDefender Rescue CD from here: http://download.bitdefender.com/rescue_cd/BitDefenderRescueCD_v2.0.0_16_03_2009.iso
    After that insert the cd in your CD-Rom, restart your PC and boot from the it. You will then enter a Linux OS where you can scan and remove viruses with the bitdefender scanner.
    You can find a tutorial on how to do this here: http://www.bitdefender.ro/KB417

  16. Rudi Bedy May 7, 2009 at 2:11 pm #

    Use this link for the How To tutorial, the one in my first comment was in Romanian : http://www.bitdefender.com/KB417

  17. DOWNADUP, CONFICKER , KIDO May 7, 2009 at 4:55 pm #

    I have tried Symantec standalone tool.
    but there was no use of that …..
    I am not able to download from other antivirus websites.
    when i am trying for that its redirecting me to my local host.

  18. ary May 7, 2009 at 4:57 pm #

    are you sure you have conficker? if the tool says you are clean, maybe is something else. can you access any security vendors sites?

  19. Pallab May 7, 2009 at 5:55 pm #

    Try this : ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip
    Among other things try :
    i) Install all required patches from microsoft
    ii) Update kaspersky and run it under Safe Mode.

    Try using a proxy to access blocked security websites.
    Just google for proxy sites ( https://proxy.org/ https://proximize.me/ , https://launchwebs.org are three secure proxy services).

    • antony June 3, 2010 at 8:29 pm #

      Please help me D: i cannot download anything and my antivirus expired and this virus is getting rlly annoying it closes pages and so does msn… i think

      but it does closes the pages from nowhere and i cant download anything D:…any tip please?

  20. kupo May 27, 2009 at 8:39 pm #

    Scans aren’t finding anything but I still have symptoms. Sigh.. can’t download anything from Microsoft.

  21. Pallab May 27, 2009 at 8:57 pm #

    Try downloading from cyber-cafe or from friends computer or using linux.
    Remember that av providers also offer phone support. So you can always use that if you absolutely can’t figure out how to solve the problem.

  22. antony June 3, 2010 at 8:27 pm #

    guys can you help me please… i have this virus and it wont let me download ANYTHING

    i cannot download absolutly anything it closes itself rlly fast and so it does when i try to type antivirus…

    i had an antivirus that expirated alrdy so i dont have any right now…

    u guys have any solution for this without downloading? cuz im desesperated D:….

    • Pallab De June 4, 2010 at 9:38 am #

      Manual removal is hard. Some instructions are available here. Better way is to download the kiddo removal tools from another machine and run them.

  23. JMontes October 31, 2010 at 6:24 pm #

    conflicker – I hate this.
    I formatted my drive when I had this virus.

  24. Beula Gumm June 12, 2011 at 7:01 am #

    Cool, but how old is this post?

  25. French Furniture Blog June 8, 2012 at 7:08 pm #

    The post is written in very a good manner and it entails many useful

    information for me. I am happy to find your distinguished way of

    writing the post. Now you make it easy for me to understand and

    implement the concept.

Trackbacks/Pingbacks

  1. Remoción de Kido/Conficker « Notas sobre virus - January 5, 2010

    […] http://support.kaspersky.com/faq/?qid=208279973 http://www.pallab.net/2009/03/12/how-to-remove-kido-downadup-downup-conficker/ […]

More in Security (26 of 33 articles)