ABC ~ All 'Bout Computers
The Online Web-azine for Computer Enthusiasts
-- brought to you by

contents page for this issue

More Than A Virus: How the Hosts File Gets Modified
~~Mike Baynes, MikesWhatsNews

As the latest round of viruses, worms, and hijackers are making their way
through our systems, we may discover that our AV programs don't update and we cannot access certain web sites.

This is caused by the virus's ability to modify the Windows Hosts file.

The details of a virus alert will often tell you the changes which may have been made to your Hosts file. By referencing the Virus alert you can find out which sites it adds to your Hosts file and then you are able to remove them to allow access to the latest AV program updates or help sites which may assist you in recovering from an infection or hijacking.

Here is part of one virus alert from Sophos with its list of additions to
the Hosts file:

Information about W32/Agobot-JB can be found at:
http://www.sophos.com/virusinfo/analyses/w32agobotjb.html
A text file named HOSTS in C:\Windows\System32\drivers\etc\ may be created or overwritten with a list of anti-virus and other security-related
websites, each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites.

For example:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

++ There is more on the web site.

The Hosts file is the same file that we use to prevent ads and certain
undesirable content from being accessed by our computers. The virus will add the sites which may provide you with assistance to the Hosts file, which, in turn, prevents the web pages from loading.

In Windows XP you can find the Hosts file here;
C:\Windows\System32\Drivers\Etc
It is a plain text file containing the "localhost" address, with an IP address
of 127.0.0.1

There are Hosts file lists which can be added to the Windows Hosts file to prevent ads and malicious, or offensive sites from loading.
See; http://www.accs-net.com/hosts/what_is_hosts.html

I have found this one to be very effective and often updated;
http://www.mvps.org/winhelp2002/hosts.txt

In closing, remember that if you find yourself unable to access sites you
used to be able to access for help or support, or unable to update your AV program from the website, check your Hosts file.

A good test to make sure your browser is working is to try one of the news sites like www.cnn.com to confirm you browser is working before looking for a more serious problem.

See Mike's Anti-Virus pages ~ http://virusinfo.hackfix.org.  To subscribe, send a blank email to: virusinfo-request@freelists.org?Subject=subscribe