Fake MS WGA seeds malware
by Ivana Strahija on July 3rd, 2006 AOL LLC instant messenger program is once again the media of choice for malicious attackers to spread their viruses.
Security researchers warned recently of a malicious program, pretending to be Microsoft Windows Genuine Advantage tool, which is spreading through AOL instant messenger system.
Sophos named the worm W32.Cuebot-K, and it seems that the newest from Cuebot family is intended to bring much havoc. Immediately after installation, W32.Cuebot-K connects to twpo websites, where it downloads additional malware. Furthermore it shuts down Windows firewall, disables various programs and can perform DDoS attacks.
Sophos warns that this worm comes directly as a file "wgavn.exe" to infected users buddy lists, with no additional message.
But the interesting thing about this virus is that it registers itself as a new system device driver service named wgavn (HKLMSYSTEMCurrentControlSetServiceswgavn), presented in the services list as "Windows Genuine Advantage Validation Notification", according to Sophos.
