Malware Masquerades As WGA

TeMerc · **Posted:** Thu Jun 29, 2006 3:58 pm

Well it didn't take too long for the malware writers to craft a bit of nastiness that fakes Microsoft's WGA tool and notification files.

So far there are two instances one at AUMHA forums and DanisWeb Forum.

The malware guys insert it as a fake Windows service, calling it, as it appears in a HJT log file:

Quote:

O23 - Service: Windows Genuine Advantage Validation Notification (wgavn) - Unknown owner - C:\WINDOWS\system32\wgavn.exe<<<--fake file

The correct file resides in the System32 folder and there is no service associated with it.

The name is also slightly different than the original MS ones:

Windows Genuine Advantage Validation Tool
Windows Genuine Advantage Notification Tool

Kudos to the many MS MVPS working on this to gather file information and registry changes, not to mention submit the files to all the appropriate vendors to be added to their definition databases.

All the above information was gathered by them and published among many blogs and websites.

I'll add a list of blog sites mentioning this soon as I collect some.

TeMerc · **Posted:** Thu Jun 29, 2006 6:11 pm

List of Blogs mentioning fake WGA Malware:
Spyware Confidential

Donna's Security Flash

Susan Bradley SMB Blog

JeanInMontana · **Posted:** Thu Jun 29, 2006 10:13 pm

Hmmm, well now there is competition for the "real" M$ spyware tool??? :roll:

Raid · **Joined:** Tue Dec 27, 2005 2:05 pm **Posts:** 56

Hi Guys,

It would seem I'm a little late on this particular beastie. I haven't personally seen a sample of it yet. If any of you should happen to have it, and wouldn't mind sharing for addition to BugHunters database, I'd be grateful.

TeMerc · **Posted:** Sun Jul 02, 2006 8:13 pm

Raid wrote:

Hi Guys,

It would seem I'm a little late on this particular beastie. I haven't personally seen a sample of it yet. If any of you should happen to have it, and wouldn't mind sharing for addition to BugHunters database, I'd be grateful.

This is already in some av databases, it seemed to originate\spread via IM, see here

I think I may be able to get a copy, I'll have to ask around some. So far it's only been submitted to the av\anti-spyware vendors.

And there is also a new one called windowsvista.exe spreading around via P2P. And it's only recognised by a couple of av companies as of right now.

MysteryFCM · **Posted:** Mon Jul 03, 2006 5:50 am

They're easily found if one hunts the likes of the FastTrack/Gnutella networks .... all you need is it's original filename (i.e. wgavn.exe) - some silly bugger always seems to be unawares that they're spreading infected crap.

Raid · **Joined:** Tue Dec 27, 2005 2:05 pm **Posts:** 56

MysteryFCM wrote:

They're easily found if one hunts the likes of the FastTrack/Gnutella networks .... all you need is it's original filename (i.e. wgavn.exe) - some silly bugger always seems to be unawares that they're spreading infected crap.

Excellent. I'll have to a little p2p research, as I'm not loading kazaa to access it.

I picked up a nice lot of samples today from an infected machine. I've submitted one to virustotal, but after being put in que for 45 minutes, I determined it would be an all day thing to get them all up there.

clif_notes · **Posted:** Tue Jul 04, 2006 11:14 pm

Hi Raid,

You certainly don't need Kazaa to get into P2P.

You might try
LimeWire 4.1.3
License: Free
File size: 350.7K
Minimum requirements: Windows 95/98/Me/NT/2000/XP
Rating: 4 out of 5 Read the full review.

Cementing its role as the quintessential Gnutella client, LimeWire remains one of the most trusted P2P applications.
http://www.download.com/LimeWire/3000-2 ... 51892.html

Have fun!

Malware Masquerades As WGA

Who is online

Who is online

Who is online
	In total there are 0 users online :: 0 registered, 0 hidden and 0 guests (based on users active over the past 5 minutes) Most users ever online was 115 on Tue Jul 13, 2010 5:32 pm Users browsing this forum: No registered users and 0 guests