Malware poses as WGA Notifications tool

[polonus]

Hi malware fighters,

Malware authors have written a worm that poses as the WGA Notifications tool, the worm is hidden in a file named "wgavn.exe", known as Cuebot. Info on this malware can be found here:

http://www.sophos.com/security/analyses/w32cuebotk.html

polonus

[DavidR]

Didn't take them long to hop on the latest hot topic, although I would have thought they would achieve a greater social engineering success if it was touted as a WGA removal tool, perhaps they are already doing that too.

[NonSuch]

This nasty doesn't masquerade as the WGA tool in order to get on the system... it simply utilizes AOL Instant Messenger to get on the system then masquerades as the WGA tool in an attempt to look innocent and blend in with its surroundings so it doesn't get booted out. 

This is a particularly nasty piece of work.  It establishes a back door then turns off AV, firewall and other security programs as well.  It also tweaks the registry so those programs cannot be turned back on again and makes additional changes so that the security center will no longer alert the user that their system is unprotected.   

If this thing got on my system, I would probably just nuke and pave as there is no way I could be certain of my system's security after this malware had free rein to tamper with the system settings, etc.

There's an article on it here...

http://blogs.zdnet.com/Spyware/?p=838

You can see it in action here...

http://aumha.net/viewtopic.php?p=118674

[polonus]

Hi NonSuch,

Read about the threat here:
https://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.security.homeusers&tid=ebe8724c-c600-4406-b43a-cd859190f2d2&p=1

polonus