New “Windows Genuine Advantage” Worm Cuebot-K Being Spread by AIM, Installs Self as Wgvan.exe and Dcpromo.log - 4,387 Views, 4 Comments
|
Previous Article « New Sidekick 3 Mailing List!
Read Next Article » MySpace Ads Infect Millions with Spyware
Security company Sophos is reporting on a new worm which installs itself on your computer as a file called “wgavn.exe” and pretends to be Windows Authentication Software (WAS), identifying itself as a “Windows Genuine Advantage Validation Notification”. But it is actually the new, nasty worm Cuebot-K. Also known as W32/Cuebot-K, Backdoor.Win32.IRCBot.st, and Win32/IRCBot.OO, Cuebot-K is being spread via AOL’s AIM (AOL Instant Messenger), and installs the “wgavn.exe” and “dcpromo.log” files on your hard drive. Then it gives the criminals behind it access to your computer. According to Sophos, “When first run W32/Cuebot-K copies itself to (windows system folder)\wgavn.exe and creates the file (windows folder)\Debug\dcpromo.log. The file wgavn.exe is registered as a new system driver service named “wgavn”, with a display name of “Windows Genuine Advantage Validation Notification” and a startup type of automatic, so that it is started automatically during system startup.” At least at the moment, you can only be infected by Cuebot-K by clicking on a link proffered through the AIM instant messenger chat window (it will appear that either a buddy or a stranger is offering you some enticing link on which to click). So, as always, don’t click on links in instant messenger! Just copy and paste them into your browser window instead.
Follow Anne on Twitter
Twitter Explained in Plain English
Previous Article « New Sidekick 3 Mailing List!
Read Next Article » MySpace Ads Infect Millions with Spyware
Read more:
» Newest AIM Opanki Worm says “LOL Look at Him”
» Worm Entices Windows Users with Pics of a “Dead” Saddam Hussein
» AIM SDBot Worm Installs Lockx.exe RootKit, Takes You to eza1netsearch.com
For additional similar stories check out our archives on Instant Messengers, Worms
NOTE: We never, ever, ever will recommend any product or service on this site that we have not regularly used ourselves and do not wholeheartedly believe in. That said, in some cases after being very pleased with a product or service, we may enter into a relationship with the provider of that product or service such that if someone purchases that product or service based on our recommendation, we may get a small payment. Such payments go towards the upkeep of the Internet Patrol.
I don’t know if I have a problem to the point of being infected, but is there really a such thing as Windows Genuine Advantage? I got something, but it first popped up as a yellow shield in my system tray, which (when clicked) opened up what appeared to be a Windows Update dialog box showing available updates, which included Windows Genuine Advantage. Is the whole thing bogus, or just what’s being passed off as WGA within AIM?
Comment by Bryan — 7/17/2006 @ 8:30 pm
WGA as it is know is a spy for Microsoft, they want to know if you have a ligitmate copy windows to begin with then everyday they checkup on you. If you don’t install it you just might not be able to get real updates. Many newscasters have been writing about it you can read about it here: http://microsoft.com/genuine
Comment by Ron R. — 7/18/2006 @ 6:53 am
I got this virus but I don’t use AOL instant messenger. How do you remove it? I use Grisoft’s free AVG virus software.
Comment by Kal — 3/10/2007 @ 1:26 am
I seem to have a similar problem,
removal notes for “windows genuine advantage notification virus”….
1. boot in safe mode, open c:/windows/regedit.exe and search for wgalogon - when found delete the folder and all keys within
2. search c:\windows for wga*.* and delete everything you find, if you cant delete something reboot in safe mode and then try and delete again.
3. final search of c:/windows for any re-appearing wga*.* files - and final search of registry to make sure wgalogon has not reappeared
4. boot as normal
Comment by ICARVZ — 5/2/2009 @ 4:37 am