Kaspersky Labs has already received several reports of infections by this malicious program. Our analysts believe that Mydoom.b is probably using machines infected by the original Mydoom to propagate. Therefore, the computer community may be facing a much more serious outbreak than the one caused by Mydoom.a yesterday, January 27.
At this time Kaspersky Labs is analyzing Mydoom.b. Like its predecessor, the worm spreads via email and the KaZaA file-sharing network. The carrier is about 28 KB in size and contains the following text: "sync-1.01; andy; I'm just doning my job, nothing personal, sorry". Moreover, the worm now performs DDoS attach not only at www.sco.com but also to www.microsoft.com.
The worm modifies the standard 'hosts' file in the Windows folder the way a user cannot access some sites (including security-related web-sites):
engine.awaps.net awaps.net www.awaps.net ad.doubleclick.net spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net ads.fastclick.net banner.fastclick.net banners.fastclick.net www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com ftp.f-secure.com securityresponse.symantec.com www.symantec.com symantec.com service1.symantec.com liveupdate.symantec.com update.symantec.com updates.symantec.com support.microsoft.com downloads.microsoft.com download.microsoft.com windowsupdate.microsoft.com office.microsoft.com msdn.microsoft.com go.microsoft.com nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com networkassociates.com avp.ru www.avp.ru www.kaspersky.ru www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com download.mcafee.com mast.mcafee.com www.trendmicro.com www3.ca.com ca.com www.ca.com www.my-etrust.com my-etrust.com ar.atwola.com phx.corporate-ir.net