W32.Cuebot-K worm appears as Microsoft antipiracy program

The fake Windows Genuine Advantage Tool (wgavn.exe) has been named as W32.Cuebot-K worm by Sophos.

Cuebot-K propagates by sending itself as a file named “wgavn.exe” to more people in the user’s “Buddy List” but without a message, Cluley said.

More in http://www.infoworld.com/article/06/06/30/HNwormmsantipiracy_1.html

I just viewed Sophos’ Threat analyses page – by name (letter C) but they don’t have the article for Cuebot-K yet (maybe later).  At the time of this writing, they got articles for Cuebot-A to Cuebot-J only (at least, it has been detected now and let’s hope that all other security vendors that has malware detections for worms will be able to protect the users soon!)

Attached Image

@All instant messaging users,

Please see:  “Click a link.. get infected?” or read some tips for Safer Instant Messaging! to avoid such infection in using instant messengers.


Update:  Sophos got Cuebot-K article up where it confirmed that the worm W32/Cuebot-K spreads via AOL Instant Messenger. (Thanks to Microsoft MVP Harry Waldron)

WinPatrol v10 now monitors hidden files

WinPatrol PLUS 10 Image

The above-image is from our friend –> Bits from Bill and I find it not just a bit but a big bit because WinPatrol v10 now…

  • Monitor Hidden Files files in critical system areas. A new list of Hidden Files is available to help you clean up your machine. Almost all new infiltrations and/or root kits will attempt hiding their files but Scotty can detect them in real-time before any serious danger can be done. While many hidden files are normal system files, the introduction of new hidden files should be questioned. Now it can be.  The ability to delete hidden files will allow proper system cleanup. Right-click on the hidden file to view or delete.

  • Ever wonder when a new file was first introduced to your system? 
    WinPatrol 10 detects and records the introduction of new program files and malware infiltrations. The “Date & Time Program First Detected” feature will allow you to detect files which have all infiltrated your system at the same time. Even if they have random file names or file names matching legitimate files you can sort files by Date Detected and Kill them all at once.

  • Lock File Type Associations  – A checkbox on the Options tab will allow you to keep your desired File Type associations settings without being annoyed by persistent programs.  Scotty will automatically restore your original settings.

  • More Secret Startup Locations including WinLogon/Notify
    WinPatrol PLUS now monitors even more non-tradition Startup locations found in the registry. Disable unwanted programs including the Windows Genuine Advantage.
    HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
    Examples:WGALogon(Windows Genuine Advantage), GoToMyPC,Adware.Look2Me (O20)

Download the new version here

The above new features in WinPatrol are BIG ones so you should start upgrading to it.  Upgrading lets you take advantage of improvements:

  • New and Improved
    Optimized for Multiple Security Programs
    WinPatrol PLUS 10 has been optimized to work even better with other security programs. No one program can protect you and we recommend you don’t rely on any single source of protection. WinPatrol PLUS 10 works even better while running other popular security and AntiSpyware programs.

  • PLUS Info one click away
    By popular request we’ve made PLUS Info available on our main program lists. Just right-click on a program title and the menu will let you connect to our online database.

Microsoft Security @ Home Features Windows Genuine Advantage

To help Home Users in understanding the importance of Windows Genuine Advantage Program… Microsoft is now featuring it in the Security At Home website:

Attached Image

If we will click on the featured program, we will be directed to a page where Microsoft explain some risk of not having a genuine copy of Windows:
Screenshots are provided for the opt-in user experience



OpenOffice.org Security Bulletin 2006-06-29

OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor’s patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly.

The three vulnerabilities involve:
Java Applets, CVE-2006-2199
Macro, CVE-2006-2198; and
File Format, CVE-2006-3117


Apple OS X 10.4.7 .tiff "TIFFFetchAnyArray ()" DoS

Release Date:  June 29th, 2006
Severity: Low
Vendor: Apple
Versions Affected:  Apple OS X 10.4.7 and prior

TIFF is a file format used mainly for storing images, including photographs and line art. Every TIFF file begins with a 2-byte field that indicates byte ordering: “II” for little endian and “MM” for big endian. The following two bytes contain the constant value 42. These values are followed by additional header fields and image data.

Technical Details:
When processing a malformed .tiff image file, the TIFFFetchAnyArray () function does not properly parse an invalid tag causing the application which it was opened with to crash. This issue is within the ImageIO parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.

Vendor Status:
05/15/2006 – Vendor is notified
06/05/2006 – Vendor acknowlegdes that the flaw has no security impact, and no patch will be released.
06/29/2006 – Advisory released

Solution: Currently no patch has been released for this issue.

Discovered by: Tom Ferris


iTunes Advanced Audio Coding File Handling Integer Overflow Vulnerability

Apple iTunes Advanced Audio Coding File Handling Integer Overflow Vulnerability

About the security content of iTunes 6.0.5

CVE-ID: CVE-2006-1467

Available for: Mac OS X v10.2.8 or later, Windows XP / 2000

Impact: An integer overflow in iTunes could cause a denial of service or lead to the execution of arbitrary code

Description: The AAC file parsing code in iTunes versions prior to 6.0.5 contains an integer overflow vulnerability. Parsing a maliciously-crafted AAC file could cause iTunes to terminate or potentially execute arbitrary code. iTunes 6.0.5 addresses this issue by improving the validation checks used when loading AAC files. iTunes 6.0.5 is freely available from http://www.apple.com/itunes/download/.


Stolen VA Computer Recovered; What’s the lesson?

The government said Thursday that it has recovered the stolen laptop computer containing sensitive information for up to 26.5 million veterans and military personnel. The FBI said a preliminary review found no evidence that anyone accessed Social Security numbers and other data on the equipment.

More in http://www.cbsnews.com/stories/2006/06/29/national/main1763751.shtml

What can we learn from this?

First, CA 1386 provides exclusion for data that is encrypted. That should seem outright obvious to everyone. ENCRYPT IT!

That was blogged by McAfee AVERT

Argh! 2nd instance of fake Windows Genuine Advantage Notification

One earlier and now there’s 2nd … it’s at Daniweb‘s forum (Thanks to Microsoft MVP Robear Dyer for the link).  The bad file is faking Microsoft’s Windows Genuine Advantage Notification and Validation Tools.

As you can see on earlier (the first report).. there is a service name called “Windows Genuine Advantage Validation Notification” and the offending filename is wgavn.exe.  Again, there is no Windows services for the legitimate Windows Genuine Advantage (WGA) tool by Microsoft.  Also, the names of the legitimate tools are:

  • Windows Genuine Advantage Validation Tool
  • Windows Genuine Advantage Notification Tool

Note that the Validation Tool don’t have Notification on it’s name.. the malware service has!

The Windows Genuine Advantage Validation Notification is a disguise Windows Services and was created by a malware.  BTW, the offending file isn’t detected yet by many antivirus program (yup, those antivirus program that are widely-used don’t detect it yet) [:(] But let’s not worry much because our malware-fighters are doing their job to.. you know.. fixing the infected systems, advise the community and notify the security vendors.  You should help too by being careful on anything you do online. 

20 Reasons Why Windows Vista Will Be Your Next OS

Security, power and performance, applied graphics and user interface improvements, wireless networking, desktop search, usability updates, new performance monitoring and diagnostics, and an upgraded bevy of onboard applications such as Internet Explorer 7+ and Windows Defender are some of the main areas where Microsoft has beefed up Vista. Enterprise features, such as expanded group policies, whole-drive encryption and hardware-agnostic Windows imaging, are especially welcome.

More in Computerworld (Thanks to Microsoft MVP James Fisher for the link)