How to Thwart Renewed 'MyDoom' E-Mail Bug

Jan. 30, 2004 -- The new W32/MyDoom.B-mm virus adds another twist to the MyDoom story. In addition to switching the DNS attack to Microsoft's Web site, it uses a standard mechanism in Microsoft Windows to block a user's access to antivirus sites.

MyDoom.B overwrites the existing Windows Hosts file, normally empty, with a file that blocks the real addresses of most antivirus sites. This means that at a time when you need an antivirus software vendor's support most (during infection), you won't be able to get it.

The Hosts file acts as a local DNS (Domain Name Server/Service) on a Windows machine, and takes precedence over the global DNS request that every browser makes when you enter a URL, such as www.pcmag.com.

Normally, when you request a Web site, your browser sends a request to a global DNS, which returns the actual IP address of the site. Your browser then uses that IP (Internet Protocol) address to access the Web site, and brings you the Web pages. If an address — such as www.microsoft.com — is in the Windows Hosts file, your browser gets whatever address is stored there, and doesn't bother going out to the global DNS.

Locating and Deleting the Hosts File

To repair this problem, you can delete the Windows Hosts file, normally stored in:

%system%\drivers\etcwhere %system% is the Windows system file — C:\windows\system32 for Windows XP, C:\winnt\system32 for NT/2000, or C:\windows\system for Windows 9x/Me.

You can also replace the text in the Hosts file with the default text shown below.

The only line that is actually active in the default Hosts file is the last line:

"127.1.0.0 localhost."

This is the normal "loopback" address, used for troubleshooting or by some programs to refer to the local machine.

Fixing and Protecting the File

Alternatively, you can edit the host file by opening it in Notepad. You do this by right clicking on the file and selecting "Open With" and then selecting Notepad from the application list, or by launching Notepad and navigating to the file to open it.

You'll want to delete the lines that include the domains for popular virus software vendors such as www.symantec.com and www.trendmicro.com. Be sure to delete the fake IP addresses being associated with the domains, as well.

When you save the file, do not included the "txt" extension that is normally appended to files created by the Notepad application.

To proactively prevent MyDoom or any virus from adding to or changing your host file, you can either go to the system\drivers\etc folder from the command line and type "attrib hosts +r" (no quotes) to make it read only.

Or navigate to the file using My Computer, right click on the hosts file, and set the properties to read only. If you don't see the file from within My Computer, you need to change the default view settings — click on "Tools" in the menu, then "Folder options," click the "view" tab, and then uncheck the "Hide protected operating system files."

Default Windows XP Host File

The entire text below can be used to replace the text found in any Hosts file that has been infected by the myDoom bug. Just copy and paste the information into the file:

# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost