A worm posing as Microsoft's WGA antipiracy tool is being spread by IM.
The malware spreads through AOL's Instant Messenger program, said Graham Cluley, senior technology consultant at Sophos, a security vendor.
Sophos is calling it W32.Cuebot-K, a variation in the Cuebot family of malware. The worm has a range of malicious functions. After it's installed, the worm immediately tries to connect to two websites, a sign it may try to download other bad programs on the machine.
Cuebot-K can disable other software, shut off the Windows firewall, download new malicious programs, perform basic DDOS (distributed denial of service) attacks, scan local files and spawn a command prompt, Sophos said.
Worms that spread through IM (instant messaging) programs often appear as messages or links sent from friends, which trick a user into executing the program. Cuebot-K propagates by sending itself as a file named 'wgavn.exe' to more people in the user's 'Buddy List' but without a message, Cluley said.
If installed on a computer, Cuebot-K is registered as a new system device driver service named 'wgavn'. When a list of services running on the computer is summoned, the worm appears as 'Windows Genuine Advantage Validation Notification', Sophos said.
Cuebot-K's registry entry appears as HKLM\System\CurrentControlSet\Services\wgavn\.
The worm's ruse comes as Microsoft's WGA (Windows Genuine Advantage) program is being criticised for functioning like spyware. WGA collects hardware and software data on a user's computer and compares it to a database of licensed operating systems.
If an improper copy is detected, Microsoft warns the user and cuts off some free downloads.