Security news3 July 2006
Worm disguises itself as Windows Genuine Advantage Cuebot-K instant messaging worm poses as Microsoft's anti-piracy program
Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a worm that disguises itself as Microsoft's anti-piracy program, Windows Genuine Advantage (WGA).
The Cuebot-K worm poses as the genuine Microsoft WGA program which was recently the subject of controversy in the media, following allegations that it has been spying on Windows users by collecting hardware and software data from PCs. Microsoft has since issued a new version of WGA and has published instructions for removing it altogether.
The Cuebot-K worm spreads via AOL instant messenger, registering itself as a new system driver service called "wgavn", with a display name of "Windows Genuine Advantage Validation Notification", and automatically runs during system startup. Users who view the list of services are told that removing or stopping the service will result in system instability.
Once in place the worm disables the Windows firewall, and opens a backdoor to infected computers which allows hackers to gain remote access, spy on users, and potentially launch distributed denial-of-service (DDoS) attacks.
The worm describes itself in the list of services as 'Windows Genuine Advantage Validation Notification'
"People may think they have been sent the file from one of their AOL IM buddies, but in fact the program has no friendly intentions. Technical Windows users wouldn't be surprised to see WGA in their list of services, and so may not realise that the worm is using that name as a cloak to hide the fact that it has infected the PC," said Graham Cluley, senior technology consultant at Sophos. "Once in place this malware disables the firewall and opens a backdoor by which hackers can gain control over your computer to steal, spy, and launch DDoS attacks."
Sophos has been protecting against the W32/Cuebot-K malware since 20:55 GMT on 30 June 2006.
Sophos recommends that all computer users should ensure that they are running an anti-malware product which is configured to automatically update itself, security patches and firewall software.
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
About Sophos
Sophos enables enterprises all over the world to secure and control their IT infrastructure. Sophos's network access control, endpoint, web and email solutions simplify security to provide integrated defenses against malware, spyware, intrusions, unwanted applications, spam, policy abuse, data leakage and compliance drift. With over 20 years of experience, Sophos protects over 100 million users in nearly 150 countries with its reliably engineered security solutions and services. Recognized for its high level of customer satisfaction and powerful yet easy-to-use solutions, Sophos has received many industry awards, as well as positive reviews and certifications.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com
