Perfidious virus pushers have created a worm that poses as Microsoft's anti-piracy program, Windows Genuine Advantage (WGA).

The Cuebot-K worm spreads via AOL instant messenger in the guise of WGA. The timing of the release of the malware coincides with controversy over a feature in WGA that meant that the anti-piracy program "phoned home" with hardware and software data from PCs every time Windows started up.

Cuebot-K attempts to register itself as a new system driver service called 'wgavn', with the display name 'Windows Genuine Advantage Validation Notification'. Thereafter it runs every time a computer starts up. Users who attempt to remove the malware are falsely informed that getting rid of the program will result in system instability.

Once installed on infected machines, Cuebot-K disables Windows firewall and opens a backdoor on compromised machines, surrendering their control to hackers.

More information on the malware can be found in an analysis by anti-virus firm Sophos here (http://www.sophos.com/virusinfo/analyses/w32cuebotk.html). ®

Related stories

Counterfeit Vista rate half that of XP (4 December 2007)
http://www.theregister.co.uk/2007/12/04/vista_piracy/
MS drops nagware validation for IE7 installs (5 October 2007)
http://www.theregister.co.uk/2007/10/05/ms_ie7_sans_wga/
Microsoft admits WGA update phones home (9 March 2007)
http://www.theregister.co.uk/2007/03/09/ms_wga_phones_home/
Microsoft's WGA changes today (20 February 2007)
http://www.theregister.co.uk/2007/02/20/wga_changes_today/
One in five fail Windows validation checks (24 January 2007)
http://www.theregister.co.uk/2007/01/24/wga_audit/
MS builds tougher piracy protection into Vista (5 October 2006)
http://www.theregister.co.uk/2006/10/05/ms_vista_anti-piracy_protection/
Microsoft keelhauls 26 pirates (18 July 2006)
http://www.channelregister.co.uk/2006/07/18/microsoft_sues_dealers/
Windows genuine disadvantage (7 July 2006)
http://www.theregister.co.uk/2006/07/07/wga_disadvantage/
Get your Mac, it's raining Trojans (5 July 2006)
http://www.theregister.co.uk/2006/07/05/trojans_mac_pc/
MS fixes phone-home nagware (28 June 2006)
http://www.theregister.co.uk/2006/06/28/microsoft_wga_patched/
How to stop Microsoft's WGA phoning home (22 June 2006)
http://www.theregister.co.uk/2006/06/22/wga_remove/
Microsoft WGA row continues (12 June 2006)
http://www.theregister.co.uk/2006/06/12/letters_wga_row/
Santa worm is coming to IM (22 December 2005)
http://www.theregister.co.uk/2005/12/22/electric_im_santa/
Windows Genuine Advantage cracked (29 July 2005)
http://www.theregister.co.uk/2005/07/29/wga_cracked/
Fake news spreads email virus (29 June 2005)
http://www.theregister.co.uk/2005/06/29/papal_spyware/
Trojan leaps from bogus Windows Update site (8 April 2005)
http://www.theregister.co.uk/2005/04/08/fake_windows_update_ruse/
Trojans exploit Windows DRM loophole (13 January 2005)
http://www.theregister.co.uk/2005/01/13/drm_trojan/