2006 - 1,839 views, 3 Comments

Summary: The files wgavn.exe and dcpromo.log are really the Cuebot-K worm, also known as W32/Cuebot-K, Backdoor.Win32.IRCBot.st, and Win32/IRCBot.OO. Cuebot-k is a new worm that masks itself as a "Windows Genuine Advantage Validation Notification", part of Windows Authentication Software (WAS). But it's really a nasty worm which gives control of your system over to the bad guys. It's spreading via AOL Instant Messenger (AIM).

Previous Article « New Sidekick 3 Mailing List!
Read Next Article » MySpace Ads Infect Millions with Spyware

Security company Sophos is reporting on a new worm which installs itself on your computer as a file called “wgavn.exe” and pretends to be Windows Authentication Software (WAS), identifying itself as a “Windows Genuine Advantage Validation Notification”. But it is actually the new, nasty worm Cuebot-K.

Also known as W32/Cuebot-K, Backdoor.Win32.IRCBot.st, and Win32/IRCBot.OO, Cuebot-K is being spread via AOL’s AIM (AOL Instant Messenger), and installs the “wgavn.exe” and “dcpromo.log” files on your hard drive. Then it gives the criminals behind it access to your computer.

According to Sophos, “When first run W32/Cuebot-K copies itself to (windows system folder)\wgavn.exe and creates the file (windows folder)\Debug\dcpromo.log.

The file wgavn.exe is registered as a new system driver service named “wgavn”, with a display name of “Windows Genuine Advantage Validation Notification” and a startup type of automatic, so that it is started automatically during system startup.”

At least at the moment, you can only be infected by Cuebot-K by clicking on a link proffered through the AIM instant messenger chat window (it will appear that either a buddy or a stranger is offering you some enticing link on which to click). So, as always, don’t click on links in instant messenger! Just copy and paste them into your browser window instead.

Email the link for this page to a friend!

» Sasser Suspect Arrested

» Worm Entices Windows Users with Pics of a “Dead” Saddam Hussein

» What You Need to Know About the “Windows Genuine Advantage” (WGA) Microsoft Anti-Piracy Program

For additional similar stories check out our archives on Instant Messengers, Worms

3 Comments »

I don’t know if I have a problem to the point of being infected, but is there really a such thing as Windows Genuine Advantage? I got something, but it first popped up as a yellow shield in my system tray, which (when clicked) opened up what appeared to be a Windows Update dialog box showing available updates, which included Windows Genuine Advantage. Is the whole thing bogus, or just what’s being passed off as WGA within AIM?

Comment by Bryan — 7/17/2006 @ 8:30 pm
WGA as it is know is a spy for Microsoft, they want to know if you have a ligitmate copy windows to begin with then everyday they checkup on you. If you don’t install it you just might not be able to get real updates. Many newscasters have been writing about it you can read about it here: http://microsoft.com/genuine

Comment by Ron R. — 7/18/2006 @ 6:53 am
I got this virus but I don’t use AOL instant messenger. How do you remove it? I use Grisoft’s free AVG virus software.

Comment by Kal — 3/10/2007 @ 1:26 am

RSS feed for comments on this post.

Warning! All comments which contain URLs and are clearly just spam to generate a link back to the URL will be deleted on sight. Don't bother wasting your time!
If you are going to include a URL in your comment,
please keep it under 25 characters in length,
or use TinyURL to shorten it before including it in your comment.
Line and paragraph breaks are automatic, your email address is never displayed.
HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>