The new W32/MyDoom.B-mm virus adds another twist to the MyDoom story. In addition to switching the DNS attack to Microsoft's web site, it uses a standard mechanism in Microsoft Windows to block a user's access to antivirus sites. MyDoom.B overwrites the existing Windows Host's file, normally empty, with a file that blocks the real addresses of most antivirus sites. This means that at a time when you need an antivirus software vendor's support most (during infection), you won't be able to get it.

The Hosts file acts as a local DNS (Domain Name Server/Service) on a Windows machine, and takes precedence over the global DNS request that every browser makes when you enter a URL, such as www.pcmag.com. Normally, when you request a web site, your browser sends a request to a global DNS, which returns the actual IP address of the site. Your browser then uses that IP address to access the web site, and bring you the web pages. If an address, such as www.microsoft.com is in the Windows Hosts file, your browser gets whatever address is stored there, and doesn't bother going out to the global DNS.

To repair this problem, you can delete the Windows Hosts file, normally stored in the %system%\drivers\etc, (where %system% is the windows system file, C:\windows\system32 for Windows XP, C:\winnt\system32 for NT/2000, or C:\windows\system for Windows 9x/Me). The only line that is actually active in the default hosts file is the last line, 127.1.0.0 localhost. This is the normal "loopback" address, used for troubleshooting or by some programs to refer to the local machine. Alternatively, you can edit the host file by opening it in Notepad. You do this by right clicking on the file and selecting "Open With" and then selecting Notepad from the application list, or by launching Notepad and navigating to the file to open it. You'll want to delete the lines that include the domains for popular virus software vendors such as www.symantec.com and www.trendmicro.com (you can get a more complete list here). Be sure to delete the fake IP addresses being associated with the domains, as well. When you save the file, do not included the "txt" extension.

To proactively prevent MyDoom or any virus from adding to or changing your host file, you can either go to the system\drivers\etc folder from the command line and type attrib hosts +r to make it read only, or navigate to the file using My Computer, right click on the hosts file, and set the properties to read only. If you don't see the file from within My Computer, you need to change the default view settings – click on Tools/folder options/view and uncheck the "Hide protected operating system files".

Figure 1. Default Windows XP host file

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost