There’s a variant of the Mydoom virus going around now. Mydoom.B also targets microsoft.com for the DDoS. It’s mostly a clone, with some filenames changed. http://files.invisibill.net/unmydoomb.inf will remove the new version, just like my last one did on the original.
However, the B version also tampers with your hosts file. A hosts file is a text file that lists some names and the IP addresses they should correspond to. The most common entry in a hosts file is 127.0.0.1 localhost. This is the standard loopback address, and tells the system that you mean your own PC anytime you use the servername localhost. Mydoom.B adds a bunch of common servernames and points them at 0.0.0.0, making it so that your computer can’t connect to those sites. Most of the sites are places you would go for updates or virus info – it attempts to cut you off from finding the information to fix the problem.
- ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com
(microsoft.com is only added if it’s not within the DDoS date range)
Once the virus is on your system, you won’t be able to successfully connect to any of those sites. The fix is fairly simple though. You just need to remove those lines from your hosts file. You can search for “hosts” or it should be in your Windows directory on Win9x (C:\Windows\hosts) or under your system directory on WinNT (C:\WinNT\system32\drivers\etc\hosts). The hosts file doesn’t have an extension, so you may need to have Notepad (or whatever editor you’re using) look at all filetypes to open it. That’s the dropdown box under the filename in the Open box.
Now that you’ve got the hosts file open, you should see lines with “0.0.0.0” and the servernames above. Just delete any line that starts with 0.0.0.0 and has one of these servernames. Some ad-blockers will add names of ad servers here (so that you never connect to the ad server), but you should be able to tell which ones are valid servers blocked by the virus and which ones are ad servers blocked by another program.