A new instant messaging (IM) worm that poses as a security notification from Microsoft's anti-piracy program has been identified by Sophos.
If opened it switches off the firewall in Windows XP so the PC can be hijacked remotely. Called Cuebot-K, the worm is spreading via AOL's IM application AIM.
The aim is to trick people into believing an AIM buddy has sent them a security alert from Microsoft's Windows Genuine Advantage program .
The worm registers itself as a new system driver service called 'wgavn', with the display name Windows Genuine Advantage Validation Notification. Once downloaded, the program then runs automatically during system start-up.
Experts at SophosLabs said that once in place, the worm disables the Windows firewall, effectively opening a back door to infected computers.
This then allows hackers to gain remote access, spy on users, and potentially launch distributed denial-of-service (DDoS) attacks.
However, users that try to disable it are given a warning that removing or stopping the service will result in system instability.
"People may think they have been sent the file from one of their AOL IM buddies, but in fact the program has no friendly intentions," said Graham Cluley, senior technology consultant at Sophos.
"Technical Windows users wouldn't be surprised to see WGA in their list of services. But they may not realise that the worm is using that name as a cloak to hide the fact that it has infected the PC.
"If users heed the false warning about removing the program, and leave it running, they'll be presenting a back door to hackers that could allow them to gain control over the computer."
Sophos, which runs a malware notification alert service, recommends that all computer users ensure that they are running an anti-virus product which is configured to automatically update itself, as well as up-to-date security patches and firewall software.
New worm poses as Microsoft anti-piracy alert to trick users
By Dinah Greek on Jul 4, 2006 9:45AM