Worm disguises itself as Windows Genuine Advantage

July 03, 2006 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a worm that disguises itself as Microsoft's anti-piracy program, Windows Genuine Advantage (WGA).

The Cuebot-K worm poses as the genuine Microsoft WGA program which was recently the subject of controversy in the media, following allegations that it has been spying on Windows users by collecting hardware and software data from PCs. Microsoft has since issued a new version of WGA and has published instructions for removing it altogether.

The Cuebot-K worm spreads via AOL instant messenger, registering itself as a new system driver service called "wgavn", with a display name of "Windows Genuine Advantage Validation Notification", and automatically runs during system startup. Users who view the list of services are told that removing or stopping the service will result in system instability.

Once in place the worm disables the Windows firewall, and opens a backdoor to infected computers which allows hackers to gain remote access, spy on users, and potentially launch distributed denial-of-service (DDoS) attacks.

The worm describes itself as 'Windows Genuine Advantage Validation Notification'

The worm describes itself in the list of services as 'Windows Genuine Advantage Validation Notification'

"People may think they have been sent the file from one of their AOL IM buddies, but in fact the program has no friendly intentions. Technical Windows users wouldn't be surprised to see WGA in their list of services, and so may not realise that the worm is using that name as a cloak to hide the fact that it has infected the PC," said Graham Cluley, senior technology consultant at Sophos. "Once in place this malware disables the firewall and opens a backdoor by which hackers can gain control over your computer to steal, spy, and launch DDoS attacks."

Sophos has been protecting against the W32/Cuebot-K malware since 20:55 GMT on 30 June 2006.

Sophos recommends that all computer users should ensure that they are running an anti-malware product which is configured to automatically update itself, security patches and firewall software.