Is Bill Gates harassing you? Is he stalking you, inside your computer, telling you that “This copy of Windows is not genuine” with annoying little popup messages? Then you are not alone. This latest Microsoft stunt basically installs a virus, created by Microsoft, through Windows Auto Update. The WGA Virus will present users of unregistered or unofficial Windows installations with an alarming warning message. What Microsoft calls a “Genuine” copy of Windows is one that has a unique key, identified by their database, and registered to a specific user or company. Whether you have a pirated copy of Windows or have simply not registered for reasons of privacy, you will be harassed by WGA Notifications (Windows Genuine Advantage), unless you take precautions. If it is already too late, then there are some things you can do to undo the damage caused by the new Microsoft WGA Virus.

A Washington Post blog by Brian Krebs has details on the new Microsoft WGA Virus. Some highlights of that article are included here. The article explains how the WGA Virus, although it does not describe it as such, is installed via the Windows Automatic Update feature. Windows XP users in the United States who have set up automatic security updates will receive the WGA Virus, as of April 27, 2006. After installation and reboot, users may find their computers popping up an alert that reads: “This copy of Windows is not genuine; you may be a victim of software counterfeiting.”

You Can Avoid Getting the Microsoft WGA Virus!

*. update: Since this story was written we have ran a second story with specific instructions. We recommend you follow this link for information on avoiding WGA. Also, click here “WGA” for all stories on this subject.

Microsoft is calling this a “pilot program” and users will be presented with an option to decline participation. Windows Auto Update will not install the Windows Genuine Advantage software if you “decline” acceptance of the License Terms dialog that you will be presented with.

Key Point: Click “decline” on the License Agreement presented as part of the WGA Software.

Oops! Accidentally accepted the license agreement already?

If you do not decline the license agreement, the WGA Virus software will be installed. Then you will see WGA notifications telling you “This copy of Windows is not genuine” at boot time, login time, and periodically to via a system tray bubble notification. Although you will have an option to suppress the messages, they will only be temporarily suppressed. Basically, annoying messages, similar to those shareware nag screens, will harass you, urging you to pay the money to Microsoft, reformat and install what Microsoft considers a Genuine Copy of their Windows operating system.

When you see the popup message, you will be presented with two options with the following verbiage:

• You can click Resolve now to start the Get genuine Windows process.
• You can click Remind me later.

If you use the “Remind me later” option, an icon will be available in the notification area that you can double-click to start the Get genuine Windows process, which you will not actually ever want to do. Neither of these two options will be satisfactory to users of private, non-licensed copies of Windows XP. If you have the WGA Virus already installed, there are still some ways to possibly remove it and get rid of the popup harassment. Those workarounds will be covered later in this article.

Will the WGA Virus Report My Illegal Copy of Windows to Microsoft?

From a Microsoft spokesperson, “WGA Notifications is for Windows XP users. Our client software does not collect any information that can be used to identify or contact a user. We use the same process used by many popular search engines and Web sites to determine where their users are from — a form of IP lookup. This IP lookup process does not include any information that is used to identify you or contact you, and only gives a rough geographic representation of where users are located.”

So basically, the answer to the question, “will they come for you” is “no, not at this time.” However, Microsoft is becoming more aggressive in attempting to halt the propagation of pirate copies of their Windows operating system. Microsoft will go as far as the public, and the government, will allow. To protect yourself, it may be wise to disable Windows Auto Update altogether.

Microsoft is calling their WGA Virus by the name “Windows Genuine Advantage Notifications software,” and it is also being referred to as the “WGA Notifications Patch.” The WGA Notifications patch is installed if the user has opted to automatically update Windows via the Windows Update Website or if XP users manually download the latest Windows updates.

Stop The Harassment and Kill the WGA Virus

Several ways to stop the WGA Virus popup have been posted on various Internet forums including one titled, “WGA install workaround (KB905474).” Here we have provided the various workarounds currently available.

Removal Workaround Method (A)

1. End the process wgatray.exe in Windows TaskManager and restart Windows XP in safe mode.
2. Delete the following files:
   WgaTray.exe in c:\windows\system32
   WgaTray.exe in c:\windows\system32\dllcache
3. Use the Registry Editor to delete the folder key “WGALOGON” in the following branch:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonNotify

Removal Workaround Method (B)

Locate WgaLogon.dll in the Windows system folder and alter the executable bit. According to this suggestion, winlogin will not be able to call it as a notification package at boot, and since
WgaLogon is responsible for running and maintaining WgaTray.exe, the icon tray balloons will also be eliminated.
1. Disable simple file sharing in Windows
2. Right-click on the WgaLogon.dll file and choose Advanced
3. uncheck the Inherit box
4. Remote the execute permission and leave the read permission active
5. Apply the changes and reboot

Removal Workaround Method (C)

In this post it was suggested that clearing the contents of the data.dat file will eliminate the popup messages. The data.dat file is located at the following path:
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage\data
1. Open data.dat in notepad, clear the contents, and save
2. Change the permissions on data.dat to Read-Only
3. Remove the following files from the Windows System32 folder:
   wgalogon.dll spmgs.dll
   wgatray.exe The WGA setup file is in C:\WINDOWS\SoftwareDistribution\
   Download\6c4788c9549d437e76e1773a7639582a

Removal Workaround Method (D)

This is considered a manual fix. These permissions can be repaired using Registry Editor as follows:
1. Click Start, and then click Run
2. In the Open box, type regedit, and then click OK
3. Expand HKEY_CLASSES_ROOT
4. Locate the subkey HKEY_CLASSES_ROOT\LegitCheckControl.LegitCheck
5. Right-click the subkey and select Permissions…
6. Ensure that Administrators allowed Full Control permission
7. Repeat steps 3-6 for the subkey
   HKEY_CLASSES_ROOT\LegitCheckControl.LegitCheck.1

The annoying popup WGA Virus hit United States users only just today, April 27th. Engineers are currently developing better workarounds than what has been presented here. Rest assured, there will be a very nice and tidy solution provided to users very soon. Until then, it is recommended that you disable Windows Automatic Update and simply avoid becoming infected with the WGA Virus from Microsoft.

Update: Make Sure You Do What is Necessary to Avoid WGA

When you manually run Windows Update, be sure to select “Custom” and not “Automatic.” After you enter the JavaScript to disable the WGA check (see our previous article for details) and have advanced to the list of available updates, be sure to locate “Windows Genuine Advantage Notification (KB905474)” and deselect it.

There are now two clear levels of WGA that you must avoid when manually running Windows Update. The first can be bypassed with the JavaScript disable code, and the second must be manually deselected. It is critical you have unchecked this in your list of updates or you will end up the victim of the Microsoft WGA virus.

trc author: Trent Keller

This entry was posted on Thursday, April 27th, 2006 at 10:00 am and is filed under PC/OperatingSystem. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.