Experts at SophosLabs™, Sophos's global
network of virus, spyware and spam analysis centers, have warned of
a worm that disguises itself as Microsoft's anti-piracy program,
Windows Genuine Advantage (WGA).
worm poses as the genuine Microsoft WGA program which was recently
the subject of controversy in the media, following allegations that
it has been spying on Windows users by collecting hardware and
software data from PCs. Microsoft has since issued a new version of
WGA and has published instructions for removing it altogether.
The Cuebot-K worm spreads via AOL instant messenger, registering
itself as a new system driver service called "wgavn", with a
display name of "Windows Genuine Advantage Validation
Notification", and automatically runs during system startup. Users
who view the list of services are told that removing or stopping
the service will result in system instability.
Once in place the worm disables the Windows firewall, and opens
a backdoor to infected computers which allows hackers to gain
remote access, spy on users, and potentially launch distributed
denial-of-service (DDoS) attacks.
The worm describes itself in the list of
services as 'Windows Genuine Advantage Validation
"People may think they have been sent the file from one of their
AOL IM buddies, but in fact the program has no friendly intentions.
Technical Windows users wouldn't be surprised to see WGA in their
list of services, and so may not realise that the worm is using
that name as a cloak to hide the fact that it has infected the PC,"
Cluley, senior technology consultant at Sophos. "Once in place
this malware disables the firewall and opens a backdoor by which
hackers can gain control over your computer to steal, spy, and
launch DDoS attacks."
Sophos has been protecting against the W32/Cuebot-K malware
since 20:55 GMT on 30 June 2006.
Sophos recommends that all computer users should ensure that
they are running an anti-malware product which is configured to
automatically update itself, security
patches and firewall