CYBERSPACE – It’s shaping up to be a tough week for Microsoft’s controversial Windows Genuine Advantage (WGA) anti-piracy software. A second lawsuit has been filed alleging that WGA is “spyware,” and a new worm masked as WGA has been identified by security researchers.The lawsuit, filed in the U.S. District Court for the Western District of Washington by Engineered Process Controls (EPC), Univex, Inc. and three individuals, alleges that users are deceived into installing WGA by being led to believe that it is a “security update,” and that Microsoft failed to disclose that WGA “phones home” to Microsoft servers regularly.

A similar lawsuit was filed late last month by Los Angeles resident Brian Johnson. Both lawsuits seek class action status.

“WGA is ‘spyware’ that transmits data to Microsoft’s central computer (‘phones home’) every time a PC is booted up and every 24 hours thereafter,” the EPC lawsuit claims in describing WGA.

The lawsuit also contends that “Microsoft does not advise users of these phone home capabilities. WGA gathers data that can easily identify individual PCs and WGA can be modified remotely to collect additional information at Microsoft initiation,” and that Microsoft and WGA violate federal law, Washington State law and “public policy on privacy, security, consumer deception, notice and consent.”

The lawsuit also states the plaintiffs’ concern that “software hackers can exploit WGA to not only collect data but also to modify users’ computers.”

Meanwhile, researchers at the security firm Sophos have identified a worm masking itself as WGA spreading via AOL’s instant messaging service. The worm, “Cuebot-K,” registers itself on infected PCs as a system driver called “wgavn” with a display name of “Windows Genuine Advantage Validation Notification.”

According to Sophos, Cuebot-K runs automatically during system startup and users viewing the list of services offered by the program are warned that stopping or removing the program results in “system instability.”

Once in place on an infected system, researchers say Cuebot-K shut down the Windows firewall and opens a backdoor to the system. Sophos warned that hackers could use the backdoor to gain remote access and control of the machine for any number of malicious purposes.

“People may think they have been sent the file from one of their AOL IM buddies, but in fact the program has no friendly intentions and technical Windows users wouldn’t be surprised to see WGA in their list of services, and so may not realize that the worm is using that name as a cloak to hide the fact that it has infected the PC,” said Graham Cluley, senior technology consultant for Sophos. “Once in place, this malware disables the firewall and opens a backdoor by which hackers can gain control over your computer to steal, spy, and launch DOS attacks.”