After having registered my displeasure with the Windows Genuine Advantage (WGA) Notification tool for computers that have passed validation (see "Garden Phone?"), I admin that I was not surprised to learn that there is already a worm that spreads through AIM (AOL Instant Messenger) and disguises itself as WGA. As reported by Jeremy Kirk of "IDG News Service" on Friday, June 30, 2006, in Worm Masquerades as Microsoft Antipiracy Program:
"Sophos is calling it W32.Cuebot-K, a new variation in the Cuebot family of malware. The worm has a range of malicious functions. After it's installed, the worm immediately tries to connect to two Web sites, a sign it may try to download other bad programs on the machine."Mr. Kirk also reported from Sophos PLC, a security vendor, that Cuebot-K can disable other software, shut off the Windows firewall, download other malicious programs, perform DDoS (distributed denial of service) attacks, and more.
Update Note: See Suzi Turner's analysis, "New malware poses as WGA validation and notification".