Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: MyDoom.B Update - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MyDoom.B Update
MyDoom.B is rapidly spreading, and using some new techniques in addition to features shown in yesterday's diary:

- MyDoom.B will replace the 'hosts' file on infected system. This file is used to override DNS resolution. If a system is infected with MyDoom.B, sites like, some anti virus sites (,, and other) will no longer be reachable.

- There are reports that MyDoom.B will scan for systems which are infected with MyDoom.A, and it will upload itself to such systems.

- while MyDoom.A included code to launch a DDOS attack on, MyDoom.B modified the target host to


- closely monitor your network for excessive port 3127 traffic. It may pinpoint MyDoom.B infected systems. - MyDoom uses fake 'From' headers. DO NOT REPLY to infected messages. Some Antivirus filters will automatically notify the sender of an infected e-mail. Turn off this feature, as it may flood innocent bystanders.


Antivirus vendors are offering free removal tools. However, in particular for MyDoom.A, attempts have been observed to upload additional malware using the backdoor installed by the virus. A more thorough forensic analysis of the system may be necessary. Removal tools will only remove the specific virus, not any additional malware installed later.


- MSFT Details about how to restore the hosts file:
- Network Associates analysis:
- Trend Micro:
- Symantec:
- Computer Associates:
Johannes Ullrich,,

76 Posts
Feb 1st 2004

Sign Up for Free or Log In to start participating in the conversation!