W32/Cuebot-M is a worm and backdoor Trojan for the Windows platform.
W32/Cuebot-M can spread to computers vulnerable to the Server Service exploit.
The following patch for the operating system vulnerability exploited by W32/Cuebot-M can be obtained from the Microsoft website:
MS06-040
W32/Cuebot-M spreads via AOL Instant Messenger.
W32/Cuebot-M is a worm and backdoor Trojan for the Windows platform.
W32/Cuebot-M can spread to computers vulnerable to the Server Service exploit.
The following patch for the operating system vulnerability exploited by W32/Cuebot-M can be obtained from the Microsoft website:
MS06-040
W32/Cuebot-M spreads via AOL Instant Messenger.
When first run W32/Cuebot-M copies itself to <System>\wgavm.exe.
The file wgavm.exe is registered as a new system driver service named "wgavm", with a display name of "Windows Genuine Advantage Validation Monitor" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\wgavm\
W32/Cuebot-M sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
n
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\security center\
HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\
HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\