AIM worm exploits Windows Genuine Advantage commotion
A new worm has been released that disguises itself as a service for Windows Genuine Advantage. According to virus specialist Sophos, the contaminant called W32/Cuebot-K only spreads via AOL's Instant Messenger Service called AIM. It reaches the computers of potential victims as an executable file. Once a careless user has launched it, it copies itself into the Windows system directory as wgavn.exe and locks into the registry under the name "Windows Genuine Advantage Validation Notification" so it can remain active even after the computer is rebooted. In addition, Cuebot changes various security and firewall settings. Probably via a connection to an IRC server, it receives commands from its source through a back door. Sophos says that the worm is not very widespread yet.
The clever selection of the filename will probably lead many users to believe that these suspicious files and registry entries are not dangerous, if they notice them at all. In the past few weeks, plans for mandatory WGA installation have repeatedly been in the news. Microsoft has stated that it wants to use this check of genuineness to combat product piracy better. But Microsoft does not distribute software via Instant Messenger services. Any files offered without solicitation via such services should be handled with the utmost caution. The best thing to do is delete them immediately or not accept them in the first place.