New malware poses as WGA validation and notification

New malware poses as WGA validation and notification

Summary: A new piece of very nasty malware has been recently discovered on spyware help forums, first here and again here. The file name is wgavn.exe and it creates a service named "Windows Genuine Advantage Validation Notification",

SHARE:
TOPICS: Security
15

A new piece of very nasty malware has been recently discovered on spyware help forums, first here and again here. The file name is wgavn.exe and it creates a service named "Windows Genuine Advantage Validation Notification", as seen in this line in the HijackThis log.

O23 - Service: Windows Genuine Advantage Validation Notification (wgavn) - Unknown owner - C:\WINDOWS\system32\wgavn.exe

Thanks to security MVPs at the Aumha forum, I was able to get a sample today -- this is one nasty little piece of malware.  I tested it on a virtual machine running XP Pro, totally unpatched.  On execution, wgavn.exe creates a folder, C:\Windows\etc\, that contains a file named services.exe. Wgavn.exe copies itself to the \System32\ folder as shown in the HijackThis line above.

On my virtual machine, it disabled the following: WinPatrol, an anti-spyware program, a third party firewall, VMware Tools, VMware User Process, and VPCUserServices by changing the values of the Run keys in HKEY_LOCAL_MACHINE. Another researcher reported it disabled the Windows firewall and System Restore.

Wgavn.exe immediately attempted to contact several different IP addresses.  The ISP is being notified in an attempt to investigate these sites and IPs. At this time, it's unknown how the two users who posted the HijackThis logs got infected with this. The sample has been submitted to anti-malware vendors but as of earlier today was poorly detected. Kaspersky is now detecting it as Backdoor.Win32.IRCBot.st, and another AV at VirusTotal detected it as Backdoor.Win32.IRCBot.BV.

Update June 30: Infoworld now has this story on wgavn.exe and says Sohpos is calling it an AOL Instant Messaging worm and variant of the Cuebot family. Sophos named it W32.Cuebot-K.

Cuebot-K can disable other software, shut off the Windows firewall, download new malicious programs, perform basic DDOS (distributed denial of service) attacks, scan local files and spawn a command prompt, Sophos said.

Worms that spread through instant messaging programs often appear as messages or links sent from friends, which trick a user into executing the program. Cuebot-K propagates by sending itself as a file named "wgavn.exe" to more people in the user's "Buddy List" but without a message, Cluley said.

Both victims posting for help in the forums had AIM, so I'm not surprised that's  how it spread. The article says the worm immediately tries to contact two websites, but I observed it contacting three URLs and the firewall log showed  four IP addresses.

eepny.stjohnspark.net
ljrpq.haxx.biz
kroqc.haxx.biz
209.11.244.114
209.11.244.115
209.11.244.162
209.11.244.165

These belong to AS35908 VPLSNET, as seen here on a tracert from dnsstuff.com. VPLS Inc.'s website site can be seen here. The whois info for haxx.biz is very sketchy and stjohnspark.net is registered to Haxx Enterprises.  Interesting. 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Someone's sick comment on WGA?

    With people comparing MS's WGA program to spyware, this mal sounds particularly sick, evil, and wrong on *all* levels. Whoever made it must have a realy low opinion of MS, even lower than Linux and Mac fanbois.

    What I'd like to know is what IPs was it trying to call. I want to blacklist them in case I catch this when I'm not looking.
    Mr. Roboto
    • more likely to trick users

      I suspect the malware author made it look like WGA to try to fool users into thinking it's not malware.

      I'll update the post with the IP addresses in a while.
      Suzi_z
      • Some trick...

        The designer is rather clever...in that WGA -IS- malware taken from the perspective of anyone who doesn't like 3rd parties communicating with their machines without permission...this guy just copy-catted what MS did for his own ends in a bid to make some money. The casual end user has no means to tell the two apart until the AV and AS companies get some defs out to get rid of this crap.
        thejynxed
        • WGA, Windows Firewall

          Even though it didn?t really shut anything down, it was not detected phoning home my microsofts firewall, but was detected by Zone Alarm and Kerio Firewall, and maybe others. Could it be that someplace in the code, MS knows where to defeat detection? Sooner or later someone will push a major virus through Windows critical update hole.
          mypl8s4u2
  • Virus:Trj/Protestor.A

    Panda ActiveSscan detected "Virus:Trj/Protestor.A" on the Victim's system. Not only does the poor guy have to deal with the WGA Notification Tool, but some friggin' mowron decides to make a statement to M$ by sticking it to him with this malicious crapware ?
    Whomever thought that this was some perverted sort of justice should_________ < -- fill in the blank
    The " pre-release " version of the WGA Notification Tool was an absolutely absurd blunder by Microsoft ... the release of this malware is criminal. A bully preys on the innocent, a monopolist profits from them. If one can not differentiate between them, then one should not be playing video games 18 hours a day.
    I hope the author of this malicious code goes to jail for a long, long time. ( And the cellmate's name is Bubba )
    MowGreen
    • Criminal

      If what this guy did was so terrible, why isn?t any one going after MS who started the whole mess? what he did is no different than what MS did. WGA disabled detection of itself from Windows Firewall, it phoned Microsoft servers and relayed data, was hard as hell to remove, was uninvited but installed via user intervention. So what's the difference? Someone sell me a clue.
      mypl8s4u2
      • Want a sample ?

        Will gladly sent you a sample of this malware for you to infect your system with.
        If you can resurrect the system, then go install the MS WGA Notification Tool afterwards.
        Then post back which was more destructive.

        Then maybe you'll be able to see the difference.
        MowGreen
      • someone is going after Microsoft

        Read the previous blog post. ;)
        Suzi_z
  • Nothing really knew about these type of attacks .

    Is their now ? Let's see what happens to Windows Vista when it hit's the mainstream market . I've read an article about how a rootkit that can not be detected will implant itself in Windows Vista and cause all sorts of problems . Damn , the OS hasn't matured yet and already the nasties are popping up . Perhaps switching to another OS , a reliable one , would be the key to all this .
    I'm Ye, the MS SHILL .
  • WGA Maleware

    Me and Microsoft tech support couldnt find an answer to my specific problem until i found this article; in addition to having every sympton described- i also could not use Windows Update (error 0299)......
    salmonfire9
  • Message has been deleted.

    Chris Pearson
  • Prevx spotted this first on June 24th...

    You really should check out the Prevx online file database as they seem to be detecting and protecting against these nasties much sooner than anyone else (they were already protecting their userbase on the same day it was detected)...

    WGAVN.exe info:
    http://fileinfo.prevx.com/adware/qqfb4224505568-wgav18649028/wgavn.exe.html

    Prevx File Search:
    http://fileinfo.prevx.com/filesearch.asp
    Chris Pearson
  • Message has been deleted.

    slack9999
  • RE: test reply

    Please ignore
    David Grober
  • RE: New malware poses as WGA validation and notification

    http://www.analogstereo.com/maserati_ghibli_owners_manual.htm
    kk_forums