New worm poses as Microsoft anti-piracy alert to trick users

By

A new instant messaging (IM) worm that poses as a security notification from Microsoft's anti-piracy program has been identified by Sophos.

New worm poses as Microsoft anti-piracy alert to trick users
A new instant messaging (IM) worm that poses as a security notification from Microsoft's anti-piracy program has been identified by Sophos.

If opened it switches off the firewall in Windows XP so the PC can be hijacked remotely. Called Cuebot-K, the worm is spreading via AOL's IM application AIM.

The aim is to trick people into believing an AIM buddy has sent them a security alert from Microsoft's Windows Genuine Advantage program .

The worm registers itself as a new system driver service called 'wgavn', with the display name Windows Genuine Advantage Validation Notification. Once downloaded, the program then runs automatically during system start-up.

Experts at SophosLabs said that once in place, the worm disables the Windows firewall, effectively opening a back door to infected computers.

This then allows hackers to gain remote access, spy on users, and potentially launch distributed denial-of-service (DDoS) attacks.

However, users that try to disable it are given a warning that removing or stopping the service will result in system instability.

"People may think they have been sent the file from one of their AOL IM buddies, but in fact the program has no friendly intentions," said Graham Cluley, senior technology consultant at Sophos.

"Technical Windows users wouldn't be surprised to see WGA in their list of services. But they may not realise that the worm is using that name as a cloak to hide the fact that it has infected the PC.

"If users heed the false warning about removing the program, and leave it running, they'll be presenting a back door to hackers that could allow them to gain control over the computer."

Sophos, which runs a malware notification alert service, recommends that all computer users ensure that they are running an anti-virus product which is configured to automatically update itself, as well as up-to-date security patches and firewall software.
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2010 Computer Active
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?