by Matt Liebowitz, November 17 20011 SecurityNewsDaily

If you use Microsoft Office, a sneaky and harmful worm may be out to infect your system.

The security firm Bitdefender found a worm, identified as Win32.Worm.Coidung.B, that disguises itself as Office Genuine Advantage (OGA), a program Microsoft deployed in the past to validate customers’ copies of Office and let them download files and updates from the Microsoft website. Microsoft retired OGA in December 2010, but that hasn’t stopped the attackers from using it to ensnare victims a year later.

The fraudulent OGA program, labeled “office_genuine.exe,” is spreading via Yahoo Messenger, and once the attachment is downloaded, it opens a portal in people’s computers for remote attackers to control the machines or install more malicious software.

Bitdefender’s Loredana Botezatu wrote of Coidung, “The worm operates fast, disables the Windows Firewalland opens a back door to allow a remote attacker to access and control the compromised computer.”

Adding insult to infection, Coidung makes copies of itself and hides them in multiple system folders under various names, Botezatu said. The worm prevents its multiple copies from being deleted, deactivated or removed.

The Coidung worm even comes bundled with a virus, Win32.Virtob, which operates separately and infects Web application files on the compromised machines.

This threat applies only to the Microsoft Office suite. The overall Windows Genuine Advantage (WGA) program, which validates copies of Windows 7 or Vista, is still in effect.

Online scammers often piggyback on the legitimacy of anti-virus or threat-detecting software to launch attacks. Right around the time OGA was decommissioned last year, crooks began spreading malware by disguising it as a Microsoft Security Essentials update.

The best advice to avoid falling victim to these types of threats is to avoid downloading suspicious attachments, especially if they come in unsolicited emails or instant messages.

Advertisements