Beating the New MyDoom (Windows) Variant

By Jay Munro
January 28, 2004

The new W32/MyDoom.B-mm virus adds another twist to the MyDoom story. In addition to switching the DNS attack to Microsoft's web site, it uses a standard mechanism in Microsoft Windows to block a user's access to antivirus sites. MyDoom.B overwrites the existing Windows Host's file, normally empty, with a file that blocks the real addresses of most antivirus sites. This means that at a time when you need an antivirus software vendor's support most (during infection), you won't be able to get it.

The Hosts file acts as a local DNS (Domain Name Server/Service) on a Windows machine, and takes precedence over the global DNS request that every browser makes when you enter a URL, such as www.pcmag.com. Normally, when you request a web site, your browser sends a request to a global DNS, which returns the actual IP address of the site. Your browser then uses that IP address to access the web site, and bring you the web pages. If an address, such as www.microsoft.com is in the Windows Hosts file, your browser gets whatever address is stored there, and doesn't bother going out to the global DNS.

To repair this problem, you can delete the Windows Hosts file, normally stored in the %system%driversetc, (where %system% is the windows system file, C:windowssystem32 for Windows XP, C:winntsystem32 for NT/2000, or C:windowssystem for Windows 9x/Me). You can also replace it with the default one as shown in Figure 1 (below). The only line that is actually active in the default hosts file is the last line, 127.1.0.0 localhost. This is the normal loopback address, used for troubleshooting or by some programs to refer to the local machine.

Alternatively, you can edit the host file by opening it in Notepad. You do this by right clicking on the file and selecting Open With and then selecting Notepad from the application list, or by launching Notepad and navigating to the file to open it. You'll want to delete the lines that include the domains for popular virus software vendors such as www.symantec.com and www.trendmicro.com (you can get a more complete list here). Be sure to delete the fake IP addresses being associated with the domains, as well. When you save the file, do not included the txt extension.

To proactively prevent MyDoom or any virus from adding to or changing your host file, you can either go to the systemdriversetc folder from the command line and type attrib hosts +r to make it read only, or navigate to the file using My Computer, right click on the hosts file, and set the properties to read only. If you don't see the file from within My Computer, you need to change the default view settings – click on Tools/folder options/view and uncheck the Hide protected operating system files.

Figure 1. Default Windows XP host file

# Copyright (c) 1993-1999 Microsoft Corp..............more

More at PCMag