[Dshield] New variant of mydoom

Bruyere, Michel mbruyere at ezemcanada.com
Wed Jan 28 20:35:02 GMT 2004


There is a new variant, W32/Mydoom.b (currently Low Profiled by NAI). It
overwrites the local hosts file to prevent infected computers from accessing
specific sites (mainly AV dat update sites).

Here is the list of the host added in the host file

ad.doubleclick.net 
ad.fastclick.net 
ads.fastclick.net 
ar.atwola.com 
atdmt.com 
avp.ch 
avp.com 
avp.ru 
awaps.net 
banner.fastclick.net 
banners.fastclick.net 
ca.com 
click.atdmt.com 
clicks.atdmt.com 
dispatch.mcafee.com 
download.mcafee.com 
download.microsoft.com 
downloads.microsoft.com 
engine.awaps.net 
fastclick.net 
f-secure.com 
ftp.f-secure.com 
ftp.sophos.com 
go.microsoft.com 
liveupdate.symantec.com 
mast.mcafee.com 
mcafee.com 
media.fastclick.net 
msdn.microsoft.com 
my-etrust.com 
nai.com 
networkassociates.com 
office.microsoft.com 
phx.corporate-ir.net 
secure.nai.com 
securityresponse.symantec.com 
service1.symantec.com 
sophos.com 
spd.atdmt.com 
support.microsoft.com 
symantec.com 
update.symantec.com 
updates.symantec.com 
us.mcafee.com 
vil.nai.com 
viruslist.ru 
windowsupdate.microsoft.com 
www.avp.ch 
www.avp.com 
www.avp.ru 
www.awaps.net 
www.ca.com 
www.fastclick.net 
www.f-secure.com 
www.kaspersky.ru 
www.mcafee.com 
www.microsoft.com 
www.my-etrust.com 
www.nai.com 
www.networkassociates.com 
www.sophos.com 
www.symantec.com 
www.trendmicro.com 
www.viruslist.ru 
www3.ca.com

M. Bruyere




More information about the list mailing list