• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Your Go-To Destination for Scam Awareness, Malware Removal, Antispyware Downloads, and Expert Guidance

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Malware › New malware poses as Windows Genuine Advantage Validation Notification

New malware poses as Windows Genuine Advantage Validation Notification

Myantispyware team June 30, 2006     4 Comments    

A new piece of very nasty malware has been recently discovered on spyware help forums, first here and again here. The file name is wgavn.exe and it creates a service named “Windows Genuine Advantage Validation Notification”, as seen in this line in the HijackThis log.

O23 – Service: Windows Genuine Advantage Validation Notification (wgavn) – Unknown owner – C:\WINDOWS\system32\wgavn.exe

Suzi tested it on her virtual machine running XP Pro, totally unpatched. On execution, wgavn.exe creates a folder, C:\Windows\etc\, that contains a file named services.exe. Wgavn.exe copies itself to the \System32\ folder as shown in the HijackThis line above.

On her virtual machine, it disabled the following: WinPatrol, an anti-spyware program, a third party firewall, VMware Tools, VMware User Process, and VPCUserServices by changing the values of the Run keys in HKEY_LOCAL_MACHINE. Another researcher reported it disabled the Windows firewall and System Restore.

Wgavn.exe immediately attempted to contact several different IP addresses. The ISP is being notified in an attempt to investigate these sites and IPs. At this time, it’s unknown how the two users who posted the HijackThis logs got infected with this. The sample has been submitted to anti-malware vendors but as of earlier today was poorly detected. Kaspersky is now detecting it as Backdoor.Win32.IRCBot.st, and another AV at VirusTotal detected it as Backdoor.Win32.IRCBot.BV.

Thanks to Suzi Turner, her post about it.

Malware

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

4 Comments

  1. chakra
    ― March 22, 2010 - 11:14 pm  Reply

    can you suggest me how to remove it

  2. Patrik
    ― March 24, 2010 - 9:48 am  Reply

    chakra, please start a new topic in our Spyware removal forum. I will help you.

  3. sonja
    ― June 30, 2010 - 3:17 am  Reply

    Help! i just wiped my drive and its back…. how do i remove this?

  4. Patrik
    ― June 30, 2010 - 4:36 am  Reply

    sonja, try scan your computer with Malwarebytes Anti-malware, if it does not help, then begin a new topic in our Spyware removal forum. I will help you.

Leave a Reply Cancel reply




New Guides

TEMU UP TO 90 OFF SPECIAL OFFER scam
Beware of the ‘TEMU UP TO 90% OFF SPECIAL OFFER’ Scam on Facebook! 🚨
Delivery Failed Addressee Unknown USPS Scam
Delivery Failed, Addressee Unknown: USPS or Scam? Decoding the Alert
Re Captha Version Top virus
Re Captha Version Top Virus Removal Guide
Rosyday.co.uk scam store
Rosyday.co.uk Review: The Reality Behind the ‘Beautiful Dresses’ Facebook Ads
Re-captha-version-3-35.top Click Allow Scam
Re-captha-version-3-35.top Virus Removal Guide

Follow Us

Search

Useful Guides

Best free malware removal tools
Best Free Malware Removal Tools 2023
Files encrypted by ransomware become useless
How To Recover Encrypted Files (Ransomware file recovery)
adwcleaner
AdwCleaner – Review, How to use, Comments
browser redirect virus
How to remove Browser redirect virus [Chrome, Firefox, IE, Edge]
remove android virus
How to remove virus from Android phone

Recent Posts

OpenOffice.org fixes three security vulnerabilites
SMS text messages used to spread malware/keylogger
Found new rogue antispyware – AdwareFinder
Found Mailbot family that use ADS hidden streams to hide themselves
New worm disables Security Software

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2023 MASW - Myantispyware.com.