Original URL: http://www.theregister.co.uk/2006/07/03/wga_worm/
Windows Genuine Disadvantage malware sighted
Topical malware tomfoolery
Perfidious virus pushers have created a worm that poses as Microsoft's anti-piracy program, Windows Genuine Advantage (WGA).
The Cuebot-K worm spreads via AOL instant messenger in the guise of WGA. The timing of the release of the malware coincides with controversy over a feature in WGA that meant that the anti-piracy program "phoned home" with hardware and software data from PCs every time Windows started up.
Cuebot-K attempts to register itself as a new system driver service called 'wgavn', with the display name 'Windows Genuine Advantage Validation Notification'. Thereafter it runs every time a computer starts up. Users who attempt to remove the malware are falsely informed that getting rid of the program will result in system instability.
Once installed on infected machines, Cuebot-K disables Windows firewall and opens a backdoor on compromised machines, surrendering their control to hackers.
More information on the malware can be found in an analysis by anti-virus firm Sophos here . ®