Worm pretends it is Windows Authentication Software

MEDIA FRIENDLY anti-virus outfit Sophos has dug up a worm which pretends that it is Microsoft's super-popular Windows Authentication Software (WAS).

Sophos alleged that the worm, which is called Cuebot-K, is being distributed over AOL's instant-messaging network.

It has the public display name of "Windows Genuine Advantage Validation Notification" and registers itself as a system driver named "wgavn". If users try to remove it from the file manager they are told that their will be some system instability, or God will kill a kitten or something similar.

Cuebot-K disables the Windows OS firewall and turns the PC into a zombie (tsumba) which hands over data to other computers or could be used for distributed denial-of-service attacks.

The worm writers apparently are betting that people will be looking for an update of WGA, and since the software has spyware-like capabilities they will not think that there is anything wrong with the way it is behaving when it is installed.

More here. µ