Author Topic: Malware poses as WGA Notifications tool  (Read 3258 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Malware poses as WGA Notifications tool
« on: July 01, 2006, 01:47:29 PM »
Hi malware fighters,

Malware authors have written a worm that poses as the WGA Notifications tool, the worm is hidden in a file named "wgavn.exe", known as Cuebot. Info on this malware can be found here:

http://www.sophos.com/security/analyses/w32cuebotk.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86919
  • No support PMs thanks
Re: Malware poses as WGA Notifications tool
« Reply #1 on: July 01, 2006, 02:47:02 PM »
Didn't take them long to hop on the latest hot topic, although I would have thought they would achieve a greater social engineering success if it was touted as a WGA removal tool, perhaps they are already doing that too.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

NonSuch

  • Guest
Re: Malware poses as WGA Notifications tool
« Reply #2 on: July 03, 2006, 12:30:37 PM »
This nasty doesn't masquerade as the WGA tool in order to get on the system... it simply utilizes AOL Instant Messenger to get on the system then masquerades as the WGA tool in an attempt to look innocent and blend in with its surroundings so it doesn't get booted out. 

This is a particularly nasty piece of work.  It establishes a back door then turns off AV, firewall and other security programs as well.  It also tweaks the registry so those programs cannot be turned back on again and makes additional changes so that the security center will no longer alert the user that their system is unprotected.   

If this thing got on my system, I would probably just nuke and pave as there is no way I could be certain of my system's security after this malware had free rein to tamper with the system settings, etc.

There's an article on it here...

http://blogs.zdnet.com/Spyware/?p=838

You can see it in action here...

http://aumha.net/viewtopic.php?p=118674


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!