<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d24605170\x26blogName\x3dWhat\x27s+New\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttps://newsko.blogspot.com/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://newsko.blogspot.com/\x26vt\x3d-5077661798594369790', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe", messageHandlersFilter: gapi.iframes.CROSS_ORIGIN_IFRAMES_FILTER, messageHandlers: { 'blogger-ping': function() {} } }); } }); </script>
   What's New[definition].  
 
    
Google
Google Web
« Home

Posts

Microsoft drops its XP pirate checks
The Top Ten Most Beautiful OS X Apps
Why Windows takes so long to shut down.
The Anatomy of the Google Product Cycle
HD-DVD clearly outshines Blu-ray
Google's secret IPv6 plans
Firefox 1.5 vs. Opera 9
Microsoft: Vista Most Secure OS Ever
Linux Coming to Mobile Phones
Robot Hall of Fame inducts 5 new members
 
     Archives
March 2006
April 2006
May 2006
June 2006
July 2006
 
     Links




Word of the Day

Article of the Day

This Day in History

In the News

Quotation of the Day

New Virus Pretends to be WGA

UPDATED: A virus posing as Microsoft's controversial anti-piracy software is spreading via AOL's popular Instant Messenger network, but it appears to be more of a jab at Microsoft than a real threat.

The message itself does not spoof someone in the user's Buddy list, it comes in from an unknown sender. The virus then comes via a link in the instant message, should the user be foolish enough to click on a link sent by someone they don't know.

Once infected, the virus registers itself as a new system driver service named "wgavn" and has the public display name of "Windows Genuine Advantage Validation Notification." If the user shuts it down, the user is informed that removing or stopping the service will cause system instability.

Unlike WGA, the virus poses a real danger because it disables the Windows firewall and opens a backdoor to the infected computer. It's not known at this point whether anyone has actually exploited such an opening caused by the new virus.

"If you get it, it's as bad as any of them," said Randy Abrams, director of technical education for Eset Software, developer of the NOD32 antivirus program. "Ok, it's not flashing your BIOS chip or grabbing specific banking info, but once you get a backdoor on a computer, it's trivial to download a bot or do much more."

ESET's anti-virus hunters first heard of the WGA impersonator, which it dubbed Win32/IRCBot.OO, on June 29 and got in a sample of the virus on July 1. But Abrams admits it hasn't been thoroughly examined because as far as threats go, this one is pretty far down the list. It ranked 1,400 on Eset's threat list.

"The choice of names makes it clear it's an attack on WGA. Its effect is not in harming users but in making bad publicity for Microsoft," said Abrams.

Windows Genuine Advantage is a controversial utility in Windows XP that verifies that the installation is not pirated. However, it has drawn user ire and two lawsuits over the fact that Microsoft did not disclose what it does. Also, users were forced to download WGA or forfeit receiving non-critical software updates from Microsoft.

At this point, Abrams notes there are probably more names for the virus than there are infections. It's a long-standing problem in the antivirus vendor world; every vendor gives a new virus its own choice of name. When a new-found virus comes in, the first concern is finding a fix, not worrying about naming conventions, Abrams pointed out.

According to the virus names list on AV-test.org, AVG calls the virus Worm/Opanki.IP; BitDefender calls it Backdoor.IRCBot.JV, F-Prot calls it a new variant of W32/Threat-HLLIM-based!Maximus, Kaspersky calls it Backdoor.Win32.IRCBot.st, McAfee calls it W32/Opanki.worm.gen and Sophos calls it W32/Cuebot-K.

Updates prior version to correct spelling of Abrams' name.

New Virus Pretends to be WGA - Thursday, July 13, 2006 -

Post a Comment

Enter your email address:

Delivered by FeedBurner



 


Linux Tips and Tricks - Mox Diamond - Arcane Denial - Sylvan Library
Linux Tips and Stuff - ba-zoo-ra - iBUG teks/

© 2006 What's New