When I-Worm.Kido is executed, it performs the following activities:

This worm infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.

It copies itself as one or more of the following files:

%ProgramFiles%\Internet Explorer\{Random Name}.dll
%ProgramFiles%\Movie Maker\{Random Name}.dll
%System%\{Random Name}.dll
%Temp%\{Random Name}.dll
%Documents and Settings%\All Users\Application Data \
{Random Name}.dll

It creates/modifies the below registry entries:

{Random Name} = "rundll32.exe "{Random Name}.dll", ydmmgvos"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Service name = {Random Name}
Display name = {Random Name}
Startup Type = Automatic
ImagePath = "%System%\svchost.exe -k netsvcs"
HKLM\System\CurrentControlSet\Services\{Random Name}

dl = "0"
ds = "0"
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets

dl = "0"
ds = "0"
HKLM\Software\Microsoft\Windows\CurrentVersion\Applets

CheckedValue = "0"
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\
Folder\Hidden\SHOWALL

It also modifies the following registry entry so that the wormspreads more rapidly across a network:

TcpNumConnections = "00FFFFFE"
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

This worm may deletes any System Restore points created by the user. It disables several important system services and security products.

We strongly recommends that users apply the update. To apply updates user may refer below web address:

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

We also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords.

Following services are disabled or fail to run:

* Windows Update Service
* Background Intelligent Transfer Service
* Windows Defender
* Windows Error Reporting Services

Users may not be able to connect to websites or online services that contain the following strings:

QuickHeal
virus
spyware
malware
rootkit
defender
microsoft
symantec
norton
mcafee
trendmicro
sophos
panda
etrust
networkassociates
computerassociates
f-secure
kaspersky
jotti
f-prot
nod32
eset
grisoft
drweb
centralcommand
ahnlab
esafe
avast
avira
quickheal
comodo
clamav
ewido
fortinet
gdata
hacksoft
hauri
ikarus
k7computing
norman
pctools
prevx
rising
securecomputing
sunbelt
emsisoft
arcabit
cpsecure
spamhaus
castlecops
threatexpert
wilderssecurity
windowsupdate

It connects below websites to obtain the IP address of the compromised computer:

http://www.getmyip.org
http://www.whatsmyipaddress.com
http://getmyip.co.uk
http://checkip.dyndns.org

This worm may deletes any System Restore points created by the user. It disables several important system services and security products.

* May delete System Restore points.
* Disables security related services.
* Disables windows services.
* Blocks access to security websites.

• Disable System Restore under Windows Me:

Point to Start, Settings, and Control Panel. Double-click 'System', then click on the 'Performance' tab. Click 'File System' then click the 'Troubleshooting' tab. Select 'Disable System Restore' and click 'Apply'. Restart your system.

• Disable System Restore under Windows XP:

Point to Start, Control Panel, Performance and Maintenance. Double-click “System”, then select the System Restore tab. Select the 'Turn off System Restore” on all drives box. Click Apply. Click Yes. Restart your system.

Quick Heal users are requested to update your Anti-Virus with the latest signature pattern definitions and perform a system scan using Quick Heal Scanner.