Yeah this time my network is attack by this virus.
absolutely it was came from USB’s know it must be from Unilever project.
then spread at network very fast.
its infecting over 56 computer in my company.
so to eliminate this virus my server must shutdown to eliminate it's spread trough local area network.
then update patch the hole of Microsoft vulnerability / ms08-067 then using kido killer from kapersky
after that full scan with antivirus.

the symptoms when your network is infected by this virus are your firewall must be inform you that some computer trying attack your computer then your network traffic is increasing. then the server got down. it's got in my server.

some information about kido here it's
What is kido? according  viruslist .

Net-Worm.Win32.Kido

01.13.09 17:12 GMT Status : moderate risk Kaspersky Lab has detected that multiple variants of Kido, a polymorphic worm, are currently spreading widely. Net-Worm.Win32.Kido exploits a critical vulnerability (MS08-067) in Microsoft Windows to spread via local networks and removable storage media. The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines. Users are strongly recommended to ensure their antivirus databases are up to date. A patch for the vulnerability is available from Microsoft. here is technical infromation This worm spreads via local networks and removable storage media. It is a PE DLL file. The components of the worm are 165840 B. It is packed using UPX.

Installation

The worm copies its executable file as follows: %System%\.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\.tmp
%Temp%\.tmp is a string of random symbols The worm creates a service to ensure it will be run each time Windows is launched on the victim machine. The following registry key is created: [HKLM\SYSTEM\CurrentControlSet\Services\netsvcs] The worm also modifies the following registry key value: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs" = " %System%\.dll"

Network spreading

When infecting a computer, the worm launches an HTTP server on a random TCP port. This is then used to load the worm’s executable file to other computers. The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability (MS08-067) in the Server service. (More details about this vulnerability can be found on the Microsoft site: www.microsoft.com). The worm sends a specially crafted RPC request to remote machines, which causes a buffer overrun when the wcscpy_s function is called in netapi32.dll. This launches code which downloads the worm file, launches and installs it on the new victim machine. In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the following passwords to brute force the account:

Spreading via removable storage media

The worm copies its executable file to all removable storage media as follows: :\RECYCLER\S-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>\.vmx rnd is a random string of lower case symbols; d is a random number; x is the disk The worm also places the following file in the root of each disk: :\autorun.inf This ensures the worm’s executable file will be run each time the user opens the infected disk using Windows Explorer.