Topic: Worm poses as Windows Genuine Advantage

[Reno]

This is actually pretty clever if you ask me. Honest people wouldn't remove it because its there to make sure your copy is valid.

Worm poses as Windows Genuine Advantage

Cuebot-K IM worm turns on unwary Microsoft users
Robert Jaques, vnunet.com 04 Jul 2006

IT security experts have warned of a worm that purports to be Microsoft's Windows Genuine Advantage (WGA) anti-piracy tool.

WGA has recently been branded as 'spyware' in that it collects unnecessary hardware and software data from users' PCs.

The Cuebot-K worm spreads via AOL Instant Messenger, registering itself as a new system driver service called 'wgavn'. It carries the display name 'Windows Genuine Advantage Validation Notification', and runs automatically during system startup.

Users who view the list of services are told that removing or stopping the service will result in 'system instability'.

Once in place the worm disables the Windows firewall, and opens a backdoor to infected computers which allows hackers to gain remote access, spy on users, and potentially launch distributed denial-of-service attacks.

"People may think they have been sent the file from one of their AOL IM buddies, but in fact the program has no friendly intentions," said Graham Cluley, senior technology consultant at Sophos.

"Technical Windows users would not be surprised to see WGA in their list of services, and may not realise that the worm is using that name as a cloak to hide the fact that it has infected the PC.

"If users heed the false warning about removing the program, and leave it running, they will present a backdoor to hackers that could allow them to gain control over the computer."

http://www.vnunet.com/vnunet/news/2159630/ddos-worm-turns-windows-genuine

[sam]

yes, nice and evil! :-) but very clever!