The fake Windows Genuine Advantage Tool (wgavn.exe) has been named as W32.Cuebot-K worm by Sophos.
Cuebot-K propagates by sending itself as a file named “wgavn.exe” to more people in the user’s “Buddy List” but without a message, Cluley said.
More in http://www.infoworld.com/article/06/06/30/HNwormmsantipiracy_1.html
I just viewed Sophos’ Threat analyses page – by name (letter C) but they don’t have the article for Cuebot-K yet (maybe later). At the time of this writing, they got articles for Cuebot-A to Cuebot-J only (at least, it has been detected now and let’s hope that all other security vendors that has malware detections for worms will be able to protect the users soon!)
@All instant messaging users,
The above-image is from our friend –> Bits from Bill and I find it not just a bit but a big bit because WinPatrol v10 now…
Monitor Hidden Files files in critical system areas. A new list of Hidden Files is available to help you clean up your machine. Almost all new infiltrations and/or root kits will attempt hiding their files but Scotty can detect them in real-time before any serious danger can be done. While many hidden files are normal system files, the introduction of new hidden files should be questioned. Now it can be. The ability to delete hidden files will allow proper system cleanup. Right-click on the hidden file to view or delete.
Ever wonder when a new file was first introduced to your system?
WinPatrol 10 detects and records the introduction of new program files and malware infiltrations. The “Date & Time Program First Detected” feature will allow you to detect files which have all infiltrated your system at the same time. Even if they have random file names or file names matching legitimate files you can sort files by Date Detected and Kill them all at once.
Lock File Type Associations – A checkbox on the Options tab will allow you to keep your desired File Type associations settings without being annoyed by persistent programs. Scotty will automatically restore your original settings.
More Secret Startup Locations including WinLogon/Notify
WinPatrol PLUS now monitors even more non-tradition Startup locations found in the registry. Disable unwanted programs including the Windows Genuine Advantage.
Examples:WGALogon(Windows Genuine Advantage), GoToMyPC,Adware.Look2Me (O20)
Download the new version here
The above new features in WinPatrol are BIG ones so you should start upgrading to it. Upgrading lets you take advantage of improvements:
New and Improved
Optimized for Multiple Security Programs
WinPatrol PLUS 10 has been optimized to work even better with other security programs. No one program can protect you and we recommend you don’t rely on any single source of protection. WinPatrol PLUS 10 works even better while running other popular security and AntiSpyware programs.
PLUS Info one click away
By popular request we’ve made PLUS Info available on our main program lists. Just right-click on a program title and the menu will let you connect to our online database.
OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor’s patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly.
The three vulnerabilities involve:
Java Applets, CVE-2006-2199
Macro, CVE-2006-2198; and
File Format, CVE-2006-3117
Release Date: June 29th, 2006
Versions Affected: Apple OS X 10.4.7 and prior
TIFF is a file format used mainly for storing images, including photographs and line art. Every TIFF file begins with a 2-byte field that indicates byte ordering: “II” for little endian and “MM” for big endian. The following two bytes contain the constant value 42. These values are followed by additional header fields and image data.
When processing a malformed .tiff image file, the TIFFFetchAnyArray () function does not properly parse an invalid tag causing the application which it was opened with to crash. This issue is within the ImageIO parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.
05/15/2006 – Vendor is notified
06/05/2006 – Vendor acknowlegdes that the flaw has no security impact, and no patch will be released.
06/29/2006 – Advisory released
Solution: Currently no patch has been released for this issue.
Discovered by: Tom Ferris
Apple iTunes Advanced Audio Coding File Handling Integer Overflow Vulnerability
About the security content of iTunes 6.0.5
Available for: Mac OS X v10.2.8 or later, Windows XP / 2000
Impact: An integer overflow in iTunes could cause a denial of service or lead to the execution of arbitrary code
Description: The AAC file parsing code in iTunes versions prior to 6.0.5 contains an integer overflow vulnerability. Parsing a maliciously-crafted AAC file could cause iTunes to terminate or potentially execute arbitrary code. iTunes 6.0.5 addresses this issue by improving the validation checks used when loading AAC files. iTunes 6.0.5 is freely available from http://www.apple.com/itunes/download/.
Read the response of CastleCops to that person – Leo Stoller (Stoller targets “CastleCops” trademark)
The government said Thursday that it has recovered the stolen laptop computer containing sensitive information for up to 26.5 million veterans and military personnel. The FBI said a preliminary review found no evidence that anyone accessed Social Security numbers and other data on the equipment.
More in http://www.cbsnews.com/stories/2006/06/29/national/main1763751.shtml
What can we learn from this?
First, CA 1386 provides exclusion for data that is encrypted. That should seem outright obvious to everyone. ENCRYPT IT!
That was blogged by McAfee AVERT
One earlier and now there’s 2nd … it’s at Daniweb‘s forum (Thanks to Microsoft MVP Robear Dyer for the link). The bad file is faking Microsoft’s Windows Genuine Advantage Notification and Validation Tools.
As you can see on earlier (the first report).. there is a service name called “Windows Genuine Advantage Validation Notification” and the offending filename is wgavn.exe. Again, there is no Windows services for the legitimate Windows Genuine Advantage (WGA) tool by Microsoft. Also, the names of the legitimate tools are:
- Windows Genuine Advantage Validation Tool
- Windows Genuine Advantage Notification Tool
Note that the Validation Tool don’t have Notification on it’s name.. the malware service has!
The Windows Genuine Advantage Validation Notification is a disguise Windows Services and was created by a malware. BTW, the offending file isn’t detected yet by many antivirus program (yup, those antivirus program that are widely-used don’t detect it yet) [:(] But let’s not worry much because our malware-fighters are doing their job to.. you know.. fixing the infected systems, advise the community and notify the security vendors. You should help too by being careful on anything you do online.
Security, power and performance, applied graphics and user interface improvements, wireless networking, desktop search, usability updates, new performance monitoring and diagnostics, and an upgraded bevy of onboard applications such as Internet Explorer 7+ and Windows Defender are some of the main areas where Microsoft has beefed up Vista. Enterprise features, such as expanded group policies, whole-drive encryption and hardware-agnostic Windows imaging, are especially welcome.
More in Computerworld (Thanks to Microsoft MVP James Fisher for the link)