14 DAY TRIAL // An executable file that usually comes through instant messaging applications, pretending to be an Office Genuine Advantage Checker, turns out to be a malicious worm that opens a backdoor to allow attackers to take over the controls of a machine.
Bitdefender researchers report that the file, programmed in Visual Basic, comes as an executable called office_genuine.exe and even though Microsoft retired its OGA program almost a year ago, the application that pretends to check the legitimacy of Office products is still circulating.
The piece of malware, identified as Win32.Worm.Coidung.B, doesn't come by itself, instead it brings a guest in the form of a file infector detected as Win32.Virtob. It's not yet certain if they were combined on purpose or if the latter got a piggyback ride by mistake.
As soon as it's executed, the worm disables the operating system's firewall and opens a gateway through which the mastermind behind the operation sends his malevolent commands. After gaining control of the system, the attacker can basically do anything from DoS to data theft.
By copying itself into several hidden locations, including the registries and the start-up folder, the virus makes sure that every time the computer starts, it gets to perform its evil mission.
Virtob on the other hand is no angel either. Even though it seems that he's just in to observe what Coidung in doing, it's actually very harmful, especially for web applications.
Virtual machines and emulators are avoided by the virus which feeds on ASP, HTM and PHP scripts while it waits further commands from its master.
Even though malware that presents itself as being a Windows Genuine Advantage Validation Notification tool or even a Windows Genuine tool is not new, they always come with new malicious elements attached and that's why an up-to-date anti-virus database is always recommended.