Last night the Kido (aka Conficker/ Downadup) botnet kicked into action – what everyone’s been on the lookout for since 1st April.
The computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling infected machines to download new malicious files.
This latest Kido variant - Net-Worm.Win32.Kido.js - is very different to previous ones, with two notable points: once again it’s a worm, and it’s only functional until 3rd May. We’re still digging into the files, and we’ll post updates.
Kido doesn’t only download updates for itself; it’s the other files it downloads which really make the story interesting.
One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also tried to download fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick.
The rogue software, SpywareProtect2009, can be found on [links removed]
More:
http://www.viruslist.com/en/weblog?weblogid=208187654
............................................................................................
Site Admin / Security Administrator
Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
The computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling infected machines to download new malicious files.
This latest Kido variant - Net-Worm.Win32.Kido.js - is very different to previous ones, with two notable points: once again it’s a worm, and it’s only functional until 3rd May. We’re still digging into the files, and we’ll post updates.
Kido doesn’t only download updates for itself; it’s the other files it downloads which really make the story interesting.
One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also tried to download fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick.
The rogue software, SpywareProtect2009, can be found on [links removed]
More:
http://www.viruslist.com/en/weblog?weblogid=208187654
Site Admin / Security Administrator
Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.