How to Thwart Renewed 'MyDoom' E-Mail Bug

ByABC News
January 29, 2004, 10:16 AM

Jan. 30 -- The new W32/MyDoom.B-mm virus adds another twist to the MyDoom story. In addition to switching the DNS attack to Microsoft's Web site, it uses a standard mechanism in Microsoft Windows to block a user's access to antivirus sites.

MyDoom.B overwrites the existing Windows Hosts file, normally empty, with a file that blocks the real addresses of most antivirus sites. This means that at a time when you need an antivirus software vendor's support most (during infection), you won't be able to get it.

The Hosts file acts as a local DNS (Domain Name Server/Service) on a Windows machine, and takes precedence over the global DNS request that every browser makes when you enter a URL, such as

Normally, when you request a Web site, your browser sends a request to a global DNS, which returns the actual IP address of the site. Your browser then uses that IP (Internet Protocol) address to access the Web site, and brings you the Web pages. If an address such as is in the Windows Hosts file, your browser gets whatever address is stored there, and doesn't bother going out to the global DNS.

Locating and Deleting the Hosts File

To repair this problem, you can delete the Windows Hosts file, normally stored in:

%system%\drivers\etcwhere %system% is the Windows system file C:\windows\system32 for Windows XP, C:\winnt\system32 for NT/2000, or C:\windows\system for Windows 9x/Me.

You can also replace the text in the Hosts file with the default text shown below.

The only line that is actually active in the default Hosts file is the last line:

" localhost."

This is the normal "loopback" address, used for troubleshooting or by some programs to refer to the local machine.

Fixing and Protecting the File

Alternatively, you can edit the host file by opening it in Notepad. You do this by right clicking on the file and selecting "Open With" and then selecting Notepad from the application list, or by launching Notepad and navigating to the file to open it.