A new piece of malware called wgaven.exe has been discovered that poses as a Windows Genuine Advantage Notfication. On execution, wgavn.exe creates a folder, C:\Windows\etc\ that contains a file named services.exe. Wgavn.exe copies itself to the \System32\ folder and gives this notification: “O23 - Service: Windows Genuine Advantage Validation Notification (wgavn) - Unknown owner - C:\WINDOWS\system32\wgavn.exe.” The malware disables antivirus software and attempts to contact several IP addresses. The ISP is being notified in an attempt to investigate these sites and IPs. It is still unknown how users are being infected with this malware. 

Related Posts

This entry was posted on Thursday, June 29th, 2006 at 9:51 pm and is filed under Security.