RealTime IT News

New Virus Pretends to be WGA

UPDATED: A virus posing as Microsoft's controversial anti-piracy software is spreading via AOL's popular Instant Messenger network, but it appears to be more of a jab at Microsoft than a real threat.

The message itself does not spoof someone in the user's Buddy list, it comes in from an unknown sender. The virus then comes via a link in the instant message, should the user be foolish enough to click on a link sent by someone they don't know.

Once infected, the virus registers itself as a new system driver service named "wgavn" and has the public display name of "Windows Genuine Advantage Validation Notification." If the user shuts it down, the user is informed that removing or stopping the service will cause system instability.

Unlike WGA, the virus poses a real danger because it disables the Windows firewall and opens a backdoor to the infected computer. It's not known at this point whether anyone has actually exploited such an opening caused by the new virus.

"If you get it, it's as bad as any of them," said Randy Abrams, director of technical education for Eset Software, developer of the NOD32 antivirus program. "Ok, it's not flashing your BIOS chip or grabbing specific banking info, but once you get a backdoor on a computer, it's trivial to download a bot or do much more."

ESET's anti-virus hunters first heard of the WGA impersonator, which it dubbed Win32/IRCBot.OO, on June 29 and got in a sample of the virus on July 1. But Abrams admits it hasn't been thoroughly examined because as far as threats go, this one is pretty far down the list. It ranked 1,400 on Eset's threat list.

"The choice of names makes it clear it's an attack on WGA. Its effect is not in harming users but in making bad publicity for Microsoft," said Abrams.

Windows Genuine Advantage is a controversial utility in Windows XP that verifies that the installation is not pirated. However, it has drawn user ire and two lawsuits over the fact that Microsoft did not disclose what it does. Also, users were forced to download WGA or forfeit receiving non-critical software updates from Microsoft.

At this point, Abrams notes there are probably more names for the virus than there are infections. It's a long-standing problem in the antivirus vendor world; every vendor gives a new virus its own choice of name. When a new-found virus comes in, the first concern is finding a fix, not worrying about naming conventions, Abrams pointed out.

According to the virus names list on AV-test.org, AVG calls the virus Worm/Opanki.IP; BitDefender calls it Backdoor.IRCBot.JV, F-Prot calls it a new variant of W32/Threat-HLLIM-based!Maximus, Kaspersky calls it Backdoor.Win32.IRCBot.st, McAfee calls it W32/Opanki.worm.gen and Sophos calls it W32/Cuebot-K.

Updates prior version to correct spelling of Abrams' name.