Worm alert!

Worm Masquerades as Microsoft Antipiracy Program

Jeremy Kirk, IDG News ServiceFri Jun 30, 12:00 PM ET

Security analysts have detected a new piece of malware that appears to run as a Microsoft program used to detect unlicensed versions of its operating system.

The malware has been classified as a worm and spreads through AOL's Instant Messenger program, said Graham Cluley, senior technology consultant for Sophos PLC, a security vendor.

Sophos is calling it W32.Cuebot-K, a new variation in the Cuebot family of malware. The worm has a range of malicious functions. After it's installed, the worm immediately tries to connect to two Web sites, a sign it may try to download other bad programs on the machine.
A Nasty Payload

Cuebot-K can disable other software, shut off the Windows firewall, download new malicious programs, perform basic DDOS (distributed denial of service) attacks, scan local files and spawn a command prompt, Sophos said.

Worms that spread through instant messaging programs often appear as messages or links sent from friends, which trick a user into executing the program. Cuebot-K propagates by sending itself as a file named "wgavn.exe" to more people in the user's "Buddy List" but without a message, Cluley said.
Worm With an Ironic Twist

If installed on a computer, Cuebot-K is registered as a new system device driver service named "wgavn." When a list of services running on the computer is summoned, the worm appears as "Windows Genuine Advantage Validation Notification" Sophos said.

Cuebot-K's registry entry appears as HKLM\SYSTEM\CurrentControlSet\Services\wgavn\.

The worm's ironic ruse comes as Microsoft's Windows Genuine Advantage program is being criticized for functioning like spyware. WGA collects hardware and software data on a user's computer and compares it to a database of licensed operating systems.

If an improper copy is detected, Microsoft warns the user and cuts off some free downloads

Thanks for the heads-up, CY. In the future if you copy and paste text like that please include a link to it's source since it is sometimes copyrighted.

Dude, I just saw someone complaining about just this issue today on another forum... too bad I can't find it again.

The story is copyrighted.

Worm Masquerades as Microsoft Antipiracy Program
http://www.pcworld.com/news/article/0,aid,126307,00.asp

Worm appears as Microsoft antipiracy program
http://www.infoworld.com/article/06/06/30/HNwormmsantipiracy_1.html

sorry
link would not work
thought this was important to let people know
also this site
http://blogs.zdnet.com/Spyware/

That is strange. I just tested both links by pasting them into IE's Address bar. They work just fine.

I could not get the LINK ot work, not address and is not SORRY good enough.

clearly not.


speaking of programs checking for valid copies of windows, whats the point of that window genuine advantage tool they keep trying to push on me. All its going to do is say, 'hey, this is a legit copy of windows! good for you!' ? I'll save the hard drive space and the memory.

After seeing your initial response I thought I had made a mistake in posting the links. I have again retried the links in both IE6 and Netscape 8.1. Both links work just fine as is. My initial response was that I found that it was strange that the links worked for me and not for you. What more can I say? Can you explain this? I sure can't. I am sorry that you are sorry. Is that OK with you?

ITs told me that I can not make a link, but I can use them, the firewall in the gov't computer/router will not allow it.They also explained why every thing I send/received goes through my home to its gov't router this is so every thing I do is copied for security reasons. I do have permission to post this as it is not a secret,lol.
Also a LINK is not a cut and paste adress which I could have done if I had though to.