Virus stuff again

There’s a variant of the Mydoom virus going around now. Mydoom.B also targets microsoft.com for the DDoS. It’s mostly a clone, with some filenames changed. http://files.invisibill.net/unmydoomb.inf will remove the new version, just like my last one did on the original.

However, the B version also tampers with your hosts file. A hosts file is a text file that lists some names and the IP addresses they should correspond to. The most common entry in a hosts file is 127.0.0.1 localhost. This is the standard loopback address, and tells the system that you mean your own PC anytime you use the servername localhost. Mydoom.B adds a bunch of common servernames and points them at 0.0.0.0, making it so that your computer can’t connect to those sites. Most of the sites are places you would go for updates or virus info – it attempts to cut you off from finding the information to fix the problem.

    ad.doubleclick.net
    ad.fastclick.net
    ads.fastclick.net
    ar.atwola.com
    atdmt.com
    avp.ch
    avp.com
    avp.ru
    awaps.net
    banner.fastclick.net
    banners.fastclick.net
    ca.com
    click.atdmt.com
    clicks.atdmt.com
    dispatch.mcafee.com
    download.mcafee.com
    download.microsoft.com
    downloads.microsoft.com
    engine.awaps.net
    fastclick.net
    f-secure.com
    ftp.f-secure.com
    ftp.sophos.com
    go.microsoft.com
    liveupdate.symantec.com
    mast.mcafee.com
    mcafee.com
    media.fastclick.net
    msdn.microsoft.com
    my-etrust.com
    nai.com
    networkassociates.com
    office.microsoft.com
    phx.corporate-ir.net
    secure.nai.com
    securityresponse.symantec.com
    service1.symantec.com
    sophos.com
    spd.atdmt.com
    support.microsoft.com
    symantec.com
    update.symantec.com
    updates.symantec.com
    us.mcafee.com
    vil.nai.com
    viruslist.ru
    windowsupdate.microsoft.com
    www.avp.ch
    www.avp.com
    www.avp.ru
    www.awaps.net
    www.ca.com
    www.fastclick.net
    www.f-secure.com
    www.kaspersky.ru
    www.mcafee.com
    www.microsoft.com
    www.my-etrust.com
    www.nai.com
    www.networkassociates.com
    www.sophos.com
    www.symantec.com
    www.trendmicro.com
    www.viruslist.ru
    www3.ca.com
    (microsoft.com is only added if it’s not within the DDoS date range)

Once the virus is on your system, you won’t be able to successfully connect to any of those sites. The fix is fairly simple though. You just need to remove those lines from your hosts file. You can search for “hosts” or it should be in your Windows directory on Win9x (C:\Windows\hosts) or under your system directory on WinNT (C:\WinNT\system32\drivers\etc\hosts). The hosts file doesn’t have an extension, so you may need to have Notepad (or whatever editor you’re using) look at all filetypes to open it. That’s the dropdown box under the filename in the Open box.

Now that you’ve got the hosts file open, you should see lines with “0.0.0.0” and the servernames above. Just delete any line that starts with 0.0.0.0 and has one of these servernames. Some ad-blockers will add names of ad servers here (so that you never connect to the ad server), but you should be able to tell which ones are valid servers blocked by the virus and which ones are ad servers blocked by another program.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Note: This post is over 5 years old. You may want to check later in this blog to see if there is new information relevant to your comment.