New malware poses as WGA validation and notification

A new piece of very nasty malware has been recently discovered on spyware help forums, first here and again here. The file name is wgavn.exe and it creates a service named "Windows Genuine Advantage Validation Notification", as seen in this line in the HijackThis log.

O23 - Service: Windows Genuine Advantage Validation Notification (wgavn) - Unknown owner - C:\WINDOWS\system32\wgavn.exe

Thanks to security MVPs at the Aumha forum, I was able to get a sample today -- this is one nasty little piece of malware.  I tested it on a virtual machine running XP Pro, totally unpatched.  On execution, wgavn.exe creates a folder, C:\Windows\etc\, that contains a file named services.exe. Wgavn.exe copies itself to the \System32\ folder as shown in the HijackThis line above.

On my virtual machine, it disabled the following: WinPatrol, an anti-spyware program, a third party firewall, VMware Tools, VMware User Process, and VPCUserServices by changing the values of the Run keys in HKEY_LOCAL_MACHINE. Another researcher reported it disabled the Windows firewall and System Restore.

Wgavn.exe immediately attempted to contact several different IP addresses.  The ISP is being notified in an attempt to investigate these sites and IPs. At this time, it's unknown how the two users who posted the HijackThis logs got infected with this. The sample has been submitted to anti-malware vendors but as of earlier today was poorly detected. Kaspersky is now detecting it as Backdoor.Win32.IRCBot.st, and another AV at VirusTotal detected it as Backdoor.Win32.IRCBot.BV.

Update June 30: Infoworld now has this story on wgavn.exe and says Sohpos is calling it an AOL Instant Messaging worm and variant of the Cuebot family. Sophos named it W32.Cuebot-K.

Cuebot-K can disable other software, shut off the Windows firewall, download new malicious programs, perform basic DDOS (distributed denial of service) attacks, scan local files and spawn a command prompt, Sophos said.

Worms that spread through instant messaging programs often appear as messages or links sent from friends, which trick a user into executing the program. Cuebot-K propagates by sending itself as a file named "wgavn.exe" to more people in the user's "Buddy List" but without a message, Cluley said.

Both victims posting for help in the forums had AIM, so I'm not surprised that's  how it spread. The article says the worm immediately tries to contact two websites, but I observed it contacting three URLs and the firewall log showed  four IP addresses.

eepny.stjohnspark.net
ljrpq.haxx.biz
kroqc.haxx.biz
209.11.244.114
209.11.244.115
209.11.244.162
209.11.244.165

These belong to AS35908 VPLSNET, as seen here on a tracert from dnsstuff.com. VPLS Inc.'s website site can be seen here. The whois info for haxx.biz is very sketchy and stjohnspark.net is registered to Haxx Enterprises.  Interesting.