Worm alert!

Worm Masquerades as Microsoft Antipiracy Program

Jeremy Kirk, IDG News ServiceFri Jun 30, 12:00 PM ET

Security analysts have detected a new piece of malware that appears to run as a Microsoft program used to detect unlicensed versions of its operating system.

The malware has been classified as a worm and spreads through AOL's Instant Messenger program, said Graham Cluley, senior technology consultant for Sophos PLC, a security vendor.

Sophos is calling it W32.Cuebot-K, a new variation in the Cuebot family of malware. The worm has a range of malicious functions. After it's installed, the worm immediately tries to connect to two Web sites, a sign it may try to download other bad programs on the machine.
A Nasty Payload

Cuebot-K can disable other software, shut off the Windows firewall, download new malicious programs, perform basic DDOS (distributed denial of service) attacks, scan local files and spawn a command prompt, Sophos said.

Worms that spread through instant messaging programs often appear as messages or links sent from friends, which trick a user into executing the program. Cuebot-K propagates by sending itself as a file named "wgavn.exe" to more people in the user's "Buddy List" but without a message, Cluley said.
Worm With an Ironic Twist

If installed on a computer, Cuebot-K is registered as a new system device driver service named "wgavn." When a list of services running on the computer is summoned, the worm appears as "Windows Genuine Advantage Validation Notification" Sophos said.

Cuebot-K's registry entry appears as HKLM\SYSTEM\CurrentControlSet\Services\wgavn\.

The worm's ironic ruse comes as Microsoft's Windows Genuine Advantage program is being criticized for functioning like spyware. WGA collects hardware and software data on a user's computer and compares it to a database of licensed operating systems.

If an improper copy is detected, Microsoft warns the user and cuts off some free downloads

Thanks for the heads-up, CY. In the future if you copy and paste text like that please include a link to it's source since it is sometimes copyrighted.

Dude, I just saw someone complaining about just this issue today on another forum... too bad I can't find it again.

The story is copyrighted.

Worm Masquerades as Microsoft Antipiracy Program
http://www.pcworld.com/news/article/0,aid,126307,00.asp

Worm appears as Microsoft antipiracy program
http://www.infoworld.com/article/06/06/30/HNwormmsantipiracy_1.html

sorry
link would not work
thought this was important to let people know
also this site
http://blogs.zdnet.com/Spyware/

That is strange. I just tested both links by pasting them into IE's Address bar. They work just fine.

I could not get the LINK ot work, not address and is not SORRY good enough.

clearly not.


speaking of programs checking for valid copies of windows, whats the point of that window genuine advantage tool they keep trying to push on me. All its going to do is say, 'hey, this is a legit copy of windows! good for you!' ? I'll save the hard drive space and the memory.

After seeing your initial response I thought I had made a mistake in posting the links. I have again retried the links in both IE6 and Netscape 8.1. Both links work just fine as is. My initial response was that I found that it was strange that the links worked for me and not for you. What more can I say? Can you explain this? I sure can't. I am sorry that you are sorry. Is that OK with you?

ITs told me that I can not make a link, but I can use them, the firewall in the gov't computer/router will not allow it.They also explained why every thing I send/received goes through my home to its gov't router this is so every thing I do is copied for security reasons. I do have permission to post this as it is not a secret,lol.
Also a LINK is not a cut and paste adress which I could have done if I had though to.

I wasn't trying to start a war here people. I just don't want our community getting a reputation for stealing intellectual property. And yes, it is good to know. If you are unable to link in the future, just put it in your own words....that's all.

No harm no foul.

how will they stop you from adding simple [url] tags?

He was probably referring to clicking the hyperlink button on the advanced editor. They could block that since it uses popups.

Good question. The people with valid copies will go on their merry way (or not, depending on whether WGA detected a valid copy of Windows correctly or not!).

Then there are people that are unaware that they have an illegal copy of Windows. They just got themselves screwed over twice - once by the person that sold them their machine, then by M$.

After that we end up with the category of people who know that they have a cracked copy of Windows who have bypassed WGA anyways and are just as happy as those with valid copies.

Overall, Microsoft seems to not like the people who thought that they had a valid copy of Windows but don't. Don't know quite why, but anyways. WGA is pretty bad. I think that they are on something like the fifth version of it now becuse it keeps getting cracked. I think that Windows can do with a few less "features" thank you very much. They can't even take care of what's on here now and then they go add more things which are mandatory for all users if they want to stay secure. WTG Microsoft

Thing is, MS have no right to do that. I am suspecious on is it legal. If I have ilegal copy of windows this doesn't give them right to download new malicious programs on my comp, perform basic DDOS (distributed denial of service) attacks on me, scan local files and spawn a command prompt. They could ask police for help, but all they would have are ilegaly colected evidence.