Saturday, July 01, 2006

New malware poses as WGA validation and notification

This is a concern and I wanted to let y'all know about it. In a negative sense of perfect timing, there is malware that masquerades as Windows Genuine Advantage.
From ZDNet's Spyware Confidential:
A new piece of very nasty malware has been recently discovered on spyware help forums, first here and again here. The file name is wgavn.exe and it creates a service named "Windows Genuine Advantage Validation Notification", as seen in this line in the HijackThis log.

O23 - Service: Windows Genuine Advantage Validation Notification (wgavn) - Unknown owner - C:\WINDOWS\system32\wgavn.exe

Thanks to security MVPs at the Aumha forum [ (In our little "brush with greatness) JAE (who owns aumha) was at GM 2001], I was able to get a sample today — this is one nasty little piece of malware. I tested it on a virtual machine running XP Pro, totally unpatched. On execution, wgavn.exe creates a folder, C:\Windows\etc\, that contains a file named services.exe. Wgavn.exe copies itself to the \System32\ folder as shown in the HijackThis line above.

The rest of the article is here lots of good info, and I believe a basic primer on the methods that crackerz use to socially engineer themselves onto a system.


No comments:

Post a Comment

All comments are moderated.

Note: Only a member of this blog may post a comment.