{
	"id": "8d5f9a93-7fae-4c0a-ba79-f0da81282fea",
	"created_at": "2026-04-10T03:21:43.149725Z",
	"updated_at": "2026-04-10T03:22:18.573246Z",
	"deleted_at": null,
	"sha1_hash": "9b2ec0ffaab227cb5c6f342476a87e8bf634fa7e",
	"title": "Kaspersky Lab analyses new version of Kido (Conficker)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47490,
	"plain_text": "Kaspersky Lab analyses new version of Kido (Conficker)\r\nBy Kaspersky\r\nPublished: 2009-04-11 · Archived: 2026-04-10 02:23:29 UTC\r\nA new version of the malicious program Kido (aka Conficker and Downadup) has been detected by\r\nKaspersky Lab; computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) have now\r\ncontacted each other over P2P, telling infected machines to download new malicious files, thus activating\r\nthe Kido botnet.\r\nKaspersky Lab, a leading developer of secure content management solutions, announces that a new version of the\r\nmalicious program Kido (aka Conficker and Downadup) has been detected. During the night of 8th/9th April,\r\ncomputers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling\r\ninfected machines to download new malicious files, thus activating the Kido botnet.\r\nThis latest Kido variant differs significantly from previous variants: the malware is now once again a worm. Initial\r\nanalyses suggest it has date-limited functionality until 3rd May 2009.\r\nIn addition to downloading updates for itself, Kido also downloads two new files to infected machines. One is a\r\nrogue antivirus application (detected as FraudTool.Win32.SpywareProtect2009.s) that is being spread from sites\r\nlocated in Ukraine. When it’s run, the program offers to delete “detected viruses” for a charge of $49.95.\r\nThe second file which Kido downloads to infected systems is Email-Worm.Win32.Iksmas.atz. This email worm is\r\nalso known as Waledac, and is able to steal data and send spam. When this malicious program was first detected in\r\nJanuary 2009, a lot of IT experts noted the similarity between Kido and Iksmas. The Kido epidemic was mirrored\r\nby an email epidemic of a similar scale caused by Iksmas.\r\n“Over a 12-hour period, Iksmas connected to its control centers around the globe a number of times and received\r\ncommands to send out spam mailings. In just 12 hours, one bot alone sent out 42,298 spam messages,” Aleks\r\nGostev, head of Kaspersky Lab’s Global Research and Analysis Team, said in comments about the current\r\nsituation. “Virtually every email contained a unique domain. This was obviously done to prevent anti-spam filters\r\nfrom detecting the mass mailings using methods that analyze the frequency with which a specific domain is used.\r\nOverall, we detected the use of 40,542 third-level domains and 33 second-level domains. Virtually all of these\r\nsites are located in China and are registered in the names of various people, most probably invented.\r\n“A simple calculation shows that one Iksmas bot sends out around 80,000 emails in 24 hours. Assuming that there\r\nare 5 million infected machines out there, the botnet could send out about 400 billion spam messages over a 24-\r\nhour period!”\r\nKaspersky Lab is currently carrying out a detailed analysis of the new Kido variant. The company’s experts are\r\nworking on a new version of the KKiller utility, taking into account the specific functionality of the latest version\r\nof the worm.\r\nhttps://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker\r\nPage 1 of 2\n\nUsers of Kaspersky Lab products have no cause for concern – the new version of the Kido worm (Net-Worm.Win32.Kido.js) has been detected heuristically from the outset (as HEUR:Worm.Win32.Generic), as has the\r\nvariant of Iksmas that it downloads.\r\nSource: https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker\r\nhttps://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker"
	],
	"report_names": [
		"2009_kaspersky-lab-analyses-new-version-of-kido--conficker"
	],
	"threat_actors": [],
	"ts_created_at": 1775791303,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b2ec0ffaab227cb5c6f342476a87e8bf634fa7e.pdf",
		"text": "https://archive.orkl.eu/9b2ec0ffaab227cb5c6f342476a87e8bf634fa7e.txt",
		"img": "https://archive.orkl.eu/9b2ec0ffaab227cb5c6f342476a87e8bf634fa7e.jpg"
	}
}