Security company Sophos is reporting on a new worm which installs itself on your computer as a file called “wgavn.exe” and pretends to be Windows Authentication Software (WAS), identifying itself as a “Windows Genuine Advantage Validation Notification”. But it is actually the new, nasty worm Cuebot-K.
Also known as W32/Cuebot-K, Backdoor.Win32.IRCBot.st, and Win32/IRCBot.OO, Cuebot-K is being spread via AOL’s AIM (AOL Instant Messenger), and installs the “wgavn.exe” and “dcpromo.log” files on your hard drive. Then it gives the criminals behind it access to your computer.
According to Sophos, “When first run W32/Cuebot-K copies itself to (windows system folder)\wgavn.exe and creates the file (windows folder)\Debug\dcpromo.log.
The file wgavn.exe is registered as a new system driver service named “wgavn”, with a display name of “Windows Genuine Advantage Validation Notification” and a startup type of automatic, so that it is started automatically during system startup.”
At least at the moment, you can only be infected by Cuebot-K by clicking on a link proffered through the AIM instant messenger chat window (it will appear that either a buddy or a stranger is offering you some enticing link on which to click). So, as always, don’t click on links in instant messenger! Just copy and paste them into your browser window instead.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Hi I’m currently trying to research into viruses and worms for my school coursework, would anyone know on average how many people and devices were effected by this?
I seem to have a similar problem,
removal notes for “windows genuine advantage notification virus”….
1. boot in safe mode, open c:/windows/regedit.exe and search for wgalogon – when found delete the folder and all keys within
2. search c:\windows for wga*.* and delete everything you find, if you cant delete something reboot in safe mode and then try and delete again.
3. final search of c:/windows for any re-appearing wga*.* files – and final search of registry to make sure wgalogon has not reappeared
4. boot as normal
I got this virus but I don’t use AOL instant messenger. How do you remove it? I use Grisoft’s free AVG virus software.
WGA as it is know is a spy for Microsoft, they want to know if you have a ligitmate copy windows to begin with then everyday they checkup on you. If you don’t install it you just might not be able to get real updates. Many newscasters have been writing about it you can read about it here:
I don’t know if I have a problem to the point of being infected, but is there really a such thing as Windows Genuine Advantage? I got something, but it first popped up as a yellow shield in my system tray, which (when clicked) opened up what appeared to be a Windows Update dialog box showing available updates, which included Windows Genuine Advantage. Is the whole thing bogus, or just what’s being passed off as WGA within AIM?