Worm disguised as Windows Genuine Advantage

No matter what, Microsoft seems to be out of luck as far as the WGA tool is concerned, according to PortalIT. The latest addition to the “WGA is malware” scandal is a genuine piece of malware: a worm posing as Microsoft's Windows Genuine Advantage.

According to IT security experts, the Cuebot-K worm only affects AOL Instant Messenger users. The malware has the “Windows Genuine Advantage Validation Notification” display name. It registers itself as a new system driver service dubbed “wgavn” and runs automatically during system startup.

"People may think they have been sent the file from one of their AOL IM buddies, but in fact the program has no friendly intentions. Technical Windows users wouldn't be surprised to see WGA in their list of services, and so may not realise that the worm is using that name as a cloak to hide the fact that it has infected the PC," said Graham Cluley, senior technology consultant at Sophos.

Once installed, the worm disables the Windows firewall, and opens a backdoor to infected computers, thus allowing hackers to gain remote access, launch distributed denial-of-service attacks.

As expected, users are told that removing or stopping the fake “wgavn” service would lead to “system instability”.