New “Windows Genuine Advantage” Worm Cuebot-K Being Spread by AIM, Installs Self as Wgvan.exe and Dcpromo.log

The Internet Patrol - Patrolling the Internet for You

Security company Sophos is reporting on a new worm which installs itself on your computer as a file called “wgavn.exe” and pretends to be Windows Authentication Software (WAS), identifying itself as a “Windows Genuine Advantage Validation Notification”. But it is actually the new, nasty worm Cuebot-K.

Also known as W32/Cuebot-K, Backdoor.Win32.IRCBot.st, and Win32/IRCBot.OO, Cuebot-K is being spread via AOL’s AIM (AOL Instant Messenger), and installs the “wgavn.exe” and “dcpromo.log” files on your hard drive. Then it gives the criminals behind it access to your computer.


According to Sophos, “When first run W32/Cuebot-K copies itself to (windows system folder)\wgavn.exe and creates the file (windows folder)\Debug\dcpromo.log.

The file wgavn.exe is registered as a new system driver service named “wgavn”, with a display name of “Windows Genuine Advantage Validation Notification” and a startup type of automatic, so that it is started automatically during system startup.”

At least at the moment, you can only be infected by Cuebot-K by clicking on a link proffered through the AIM instant messenger chat window (it will appear that either a buddy or a stranger is offering you some enticing link on which to click). So, as always, don’t click on links in instant messenger! Just copy and paste them into your browser window instead.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

 

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

5 thoughts on “New “Windows Genuine Advantage” Worm Cuebot-K Being Spread by AIM, Installs Self as Wgvan.exe and Dcpromo.log

  1. Hi I’m currently trying to research into viruses and worms for my school coursework, would anyone know on average how many people and devices were effected by this?

  2. I seem to have a similar problem,
    removal notes for “windows genuine advantage notification virus”….

    1. boot in safe mode, open c:/windows/regedit.exe and search for wgalogon – when found delete the folder and all keys within

    2. search c:\windows for wga*.* and delete everything you find, if you cant delete something reboot in safe mode and then try and delete again.

    3. final search of c:/windows for any re-appearing wga*.* files – and final search of registry to make sure wgalogon has not reappeared

    4. boot as normal

  3. I got this virus but I don’t use AOL instant messenger. How do you remove it? I use Grisoft’s free AVG virus software.

  4. WGA as it is know is a spy for Microsoft, they want to know if you have a ligitmate copy windows to begin with then everyday they checkup on you. If you don’t install it you just might not be able to get real updates. Many newscasters have been writing about it you can read about it here:

  5. I don’t know if I have a problem to the point of being infected, but is there really a such thing as Windows Genuine Advantage? I got something, but it first popped up as a yellow shield in my system tray, which (when clicked) opened up what appeared to be a Windows Update dialog box showing available updates, which included Windows Genuine Advantage. Is the whole thing bogus, or just what’s being passed off as WGA within AIM?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.