The new worm appears as the WGA tool

Yesterday, we wrote about the lawsuit of Brian Johnson, who sued Microsoft over its Windows Genuine Advantage tool calling it a spyware program. The lawsuit sparked numerous discussions over WGA and its spyware-like behavior.

Some malware makers decided to take advantage of all this uproar releasing a new worm that disguises as the Windows Genuine Advantage tool. Cuebot.k, that’s how antivirus companies identify the parasite, is a rather dangerous Internet worm that spreads through instant messages using the AOL Instant Messenger program. It opens a back door providing the attacker with unauthorized remote access to the compromised computer. The intruder can control the system and steal user sensitive information. The worm can also terminate running security-related software, disable essential Windows components, alter important system settings, download malicious files from the Internet, and perform Denial of Service (DoS) attacks.

The most interesting thing is that Cuebot.k installs the wgavn.exe file and registers it as a system service named “Windows Genuine Advantage Validation Notification”. In HijackThis logs this service appears as the following line:

O23 – Service: Windows Genuine Advantage Validation Notification (wgavn) – Unknown owner – C:\WINDOWS\system32\wgavn.exe

The real WGA tool is represented by the wgatray.exe file, which never runs as a service. Furthermore, full names related to the legimate tool are different. They are “Windows Genuine Advantage Validation Tool” and “Windows Genuine Advantage Notification Tool”.

As you can see, differences are significant. However, most computer users may have difficulties distinguishing legitimate and fake names.

Cuebot.k is not a widely spread infection yet. There are reports from only two users. However, considering usually rapid propagation of instant messaging threats, Cuebot.k stands a good chance infecting thousands of computers around the world. It has everything it needs – a dangerous payload, unsuspicious file names and harmless-looking registry entries.