New Virus Pretends to be WGA

UPDATED: A virus posing as Microsoft's controversial anti-piracy software is spreading via AOL's popular Instant Messenger network, but it appears to be more of a jab at Microsoft than a real threat.
The message itself does not spoof someone in the user's Buddy list, it comes in from an unknown sender. The virus then comes via a link in the instant message, should the user be foolish enough to click on a link sent by someone they don't know.
Once infected, the virus registers itself as a new system driver service named "wgavn" and has the public display name of "Windows Genuine Advantage Validation Notification." If the user shuts it down, the user is informed that removing or stopping the service will cause system instability.
Unlike WGA, the virus poses a real danger because it disables the Windows firewall and opens a backdoor to the infected computer. It's not known at this point whether anyone has actually exploited such an opening caused by the new virus.
"If you get it, it's as bad as any of them," said Randy Abrams, director of technical education for Eset Software, developer of the NOD32 antivirus program. "Ok, it's not flashing your BIOS chip or grabbing specific banking info, but once you get a backdoor on a computer, it's trivial to download a bot or do much more."
ESET's anti-virus hunters first heard of the WGA impersonator, which it dubbed Win32/IRCBot.OO, on June 29 and got in a sample of the virus on July 1. But Abrams admits it hasn't been thoroughly examined because as far as threats go, this one is pretty far down the list. It ranked 1,400 on Eset's threat list.
"The choice of names makes it clear it's an attack on WGA. Its effect is not in harming users but in making bad publicity for Microsoft," said Abrams.