Beating the New MyDoom (Windows) Variant

The second MyDoom virus goes after the Microsoft Web site and tries to block you from access Antivirus help. Still, the resulting hack to your Windows Hosts file can be undone.

The new W32/MyDoom.B-mm virus adds another twist to the MyDoom story. In addition to switching the DNS attack to Microsofts web site, it uses a standard mechanism in Microsoft Windows to block a users access to antivirus sites.

MyDoom.B overwrites the existing Windows Hosts file, normally empty, with a file that blocks the real addresses of most antivirus sites. This means that at a time when you need an antivirus software vendors support most (during infection), you wont be able to get it.

The Hosts file acts as a local DNS (Domain Name Server/Service) on a Windows machine, and takes precedence over the global DNS request that every browser makes when you enter a URL, such as Normally, when you request a web site, your browser sends a request to a global DNS, which returns the actual IP address of the site. Your browser then uses that IP address to access the web site, and bring you the web pages. If an address, such as is in the Windows Hosts file, your browser gets whatever address is stored there, and doesnt bother going out to the global DNS.

Click here for the complete story, including removal instructions.