NEWS
PARASITES
SOFTWARE
FORUM
DIRECTORY
 
 
 
 
 
 
  

The new worm appears as the WGA tool

Yesterday, we wrote about the lawsuit of Brian Johnson, who sued Microsoft over its Windows Genuine Advantage tool calling it a spyware program. The lawsuit sparked numerous discussions over WGA and its spyware-like behavior.

Some malware makers decided to take advantage of all this uproar releasing a new worm that disguises as the Windows Genuine Advantage tool. Cuebot.k, that’s how antivirus companies identify the parasite, is a rather dangerous Internet worm that spreads through instant messages using the AOL Instant Messenger program. It opens a back door providing the attacker with unauthorized remote access to the compromised computer. The intruder can control the system and steal user sensitive information. The worm can also terminate running security-related software, disable essential Windows components, alter important system settings, download malicious files from the Internet, and perform Denial of Service (DoS) attacks.

The most interesting thing is that Cuebot.k installs the wgavn.exe file and registers it as a system service named “Windows Genuine Advantage Validation Notification”. In HijackThis logs this service appears as the following line:

O23 – Service: Windows Genuine Advantage Validation Notification (wgavn) – Unknown owner – C:\WINDOWS\system32\wgavn.exe

The real WGA tool is represented by the wgatray.exe file, which never runs as a service. Furthermore, full names related to the legimate tool are different. They are “Windows Genuine Advantage Validation Tool” and “Windows Genuine Advantage Notification Tool”.

As you can see, differences are significant. However, most computer users may have difficulties distinguishing legitimate and fake names.

Cuebot.k is not a widely spread infection yet. There are reports from only two users. However, considering usually rapid propagation of instant messaging threats, Cuebot.k stands a good chance infecting thousands of computers around the world. It has everything it needs – a dangerous payload, unsuspicious file names and harmless-looking registry entries.





This entry was posted on Saturday, July 1st, 2006 at 5:17 am and is filed under News, Viruses and parasites. You can leave a response, or trackback from your own site.



Your opinion regarding The new worm appears as the WGA tool

Spreading the knowledge:

It is very hard to fight Computer parasites alone in internet space. If you have a website we would be more than happy if you would help us to spread the knowledge about latest threats. You can help your visitors to manage their Computer system manually without aditional expences. Knowledge is the power, we just need to spread it.
add text box
rss feed
help other
News

Subscribe to spyware news

Please enter your e-mail address:
If you do not want to receive our spyware
newsletter, please unsubscribe here.
Articles
Latest Spyware Threats: Internet Security 2012 | Win 7 Total security 2012 | System Check | Win 7 Internet Security 2012 | Win 7 Home Security 2012 | Win 7 Antivirus 2012 | Win 7 Antispyware 2012 | Vista Security 2012 | Vista Antivirus 2012 | Vista Antispyware 2012 | XP Antispyware 2012 | XP Antivirus 2012 | XP Security 2012 | XP Home Security 2012 | Security Shield
Agreement of Use | Privacy policy | Webmasters | Contact us | RSS Feeds
© 2001-2011 2-spyware.com All Rights Reserved. Reproduction in part or whole without written permission is prohibited. Powered by: eSolutions.