Experts at SophosLabs, Sophos‘s global network of virus, spyware and spam analysis centres, have warned of a worm that disguises itself as Microsoft’s anti-piracy program, Windows Genuine Advantage (WGA). The Cuebot-K worm poses as the genuine Microsoft WGA program which was recently the subject of controversy in the media, following allegations that it has been spying on Windows users by collecting hardware and software data from PCs.
The Cuebot-K worm spreads via AOL instant messenger, registering itself as a new system driver service called ‘wgavn’, with the display name ‘Windows Genuine Advantage Validation Notification’, and runs automatically during system startup. Users that view the list of services are told that removing or stopping the service will result in system instability.
Once in place the worm disables the Windows firewall, and opens a backdoor to infected computers which allows hackers to gain remote access, spy on users, and potentially launch distributed denial-of-service (DDoS) attacks.
“People may think they have been sent the file from one of their AOL IM buddies, but in fact the program has no friendly intentions. Technical Windows users wouldn’t be surprised to see WGA in their list of services, and so may not realise that the worm is using that name as a cloak to hide the fact that it has infected the PC,” said Graham Cluley, senior technology consultant at Sophos. “If users heed the false warning about removing the program, and leave it running, they’ll be presenting a backdoor to hackers that could allow them to gain control over the computer.”