Kibuv Removal Tool

Kibuv Removal Tool is a useful application that was designed in order to help you clean your computer if it becoms infected with the Worm.Kibuv.A malware.

The worm spreads using the RPC and LSASS vulnerabilities (addressed in Microsoft Security Bulletins MS03-026 and MS04-011, respectively);

Upon execution, it does the following:

Tries to create a mutex named BushDie (to prevent itself from infecting a computer more than once);

Starts two threads used later to transfer itself to other computers being infected: - one thread listens on TCP port 420 for various control commmands; - the other thread opens a FTP server on port 9604 used for the actual transfer of the file;

Starts another two threads used for infecting other computers: one tries to infect computers vulnerable to RPC vulerability and the other those vulnerable to LSASS vulnerability;

Each of these last two threads continuously generates random IP addresses and scans the computer at each generated address (the remote computer) for RPC / LSASS vulnerability. If that remote computer is vulnerable, the worm in the infected computer sends it specially crafted IP packets containing a small piece of code which will be executed on that remote computer with full administrator rights. This code opens a shell on a TCP port and listens for commands. Then, the infected computer sends commands to that shell, causing it to download the entire worm's code (from the FTP server previously opened by the worm on the infected computer) and execute it on the remote computer, thereby finishing the infection process for that IP address.