Re: buddylinks worm

From: Scott (upallnight42_at_yahoo.com)
Date: 02/12/04

  • Next message: Dan Hanson: "New article announcement: Automating Windows Patch Management: Part I"
    Date: 12 Feb 2004 19:03:05 -0000
    To: incidents@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <402A5572.4040201@pa.net>

    This is something that was already brought to my
    attention. After looking into it It looks like marketing ad program.( I don't know if it doen anything else?)

    The link being sent out as a game directs you to a web
    page that prompts you to trust a install. It looks
    like its a plug-in or is needed to play the game (that
    part is deceiving to most users). If you read the
    license agreement it it much like gator or any other
    adware. You agree to install this software that also
    offers you a service to group message everyone in you
    AIM contact list just to play this game. I don't know
    if their is really a game after the install or not. I
    never went that far.

    Now one of the first things that happens is a message
    goes out to everyone in you AIM list to play the same
    game. What a way to spread, after all it comes from
    someone you know and trust?? Or how well do you know
    people you chat with on line that you never met????
    (thats a different topic).

    The uninstall from the control panel seems to work but
    you have to exit the AIM messenger first.
    I'm not sure what else the install does, I was going
    to reverse engineer this but after going to the site today I found the site is down.

    Attached is information I sent to my users with
    uninstall a license agreement copied from the company.

    If anyone still has the original install I would not
    mind looking at it to see if anything else was done to
    the system when users installed it.

    Please let me know if anything else is found out about this, I know of a rumor that it might install a Trojan horse or a back door but have not seen any evidence about this yet.

    Scott

    ----------------------------------------------------
    Here is part of thier aggreement I copied yesterday before the site wnet down.

    "Note: This is not an actual news story. This is the prologue to a Flash
    video game.

    PSD TOOLS

    END USER AGREEMENT AND SOFTWARE LICENSE TERMS

    Services; Modifications to Your Instant Messaging Client. The Software
    provides you the opportunity to access Content for no charge. In return
    for the right to access this Content, you acknowledge and agree that
    the
    Software contains additional software products provided to PSD Tools by
    its suppliers which will periodically deliver additional Content such
    as,
    but not limited to, advertisements and promotional messages to your
    Computer and programs that may alter your home page to offer you
    Content.
    In addition, the Software will interoperate with your current instant
    messaging client so as to permit the automatic sending of advertising
    messages originating from your Computer to your contact or “buddy” list
    regarding Content offered by PSD Tools or its suppliers. If you
    desire
    to stop this activity, you may elect to stop the messages by navigating
    to
    the “buddylinks.net” entry in your “Start Menu”, selecting the
    “buddylinks.net Configuration” item, and unchecking the appropriate
    option. You may also refer to PSD Tools’ website at
    http://www.psdtools.com for an uninstaller.

    Updates to Software. The Software includes an automatic update feature
    to
    ensure that you have the most recently released version. You
    acknowledge
    and agree that PSD Tools or third parties designated by PSD Tools may
    from
    time to time provide automatic programming fixes, updates and upgrades
    to
    the Software (collectively, the “Updates”). Updates may include
    installation of third party applications, through automatic electronic
    dissemination and other means. You consent to such Updates and agree
    that
    the terms and conditions of this Agreement will apply to all such
    Updates.
     If you should elect not to have your software updated at any future
    time,
    PSD Tools shall not be responsible for any incompatibilities that may
    arise on your system and Computer.

    Uninstalling the Software. In order to uninstall the Software, you
    will
    need to run the removal executable. You can get this program by
    contacting Support@PSDTools.com You may also be able to remove the
    program using any of the following methods:

     Via “Add/Remove Programs”:
    Click “Start”, Settings, Control Panel
    Click “Add/Remove Programs”
    Locate the “buddylinks.net Messaging Integration” option and click
    “Remove”. Click “Yes” on the prompt.
    Via a website link:
    Navigate to http://www.buddylinks.net/uninstall.exe
    Choose “Run” or “Open” when the download window appears.

    The uninstallation process should take effect immediately though in
    rare
    cases it may be necessary to restart your Instant Messaging Client or
    computer."
    ----------------------------------------------------

    >Received: (qmail 14498 invoked from network); 12 Feb 2004 16:11:21 -0000
    >Received: from outgoing2.securityfocus.com (205.206.231.26)
    > by mail.securityfocus.com with SMTP; 12 Feb 2004 16:11:21 -0000
    >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
    > by outgoing2.securityfocus.com (Postfix) with QMQP
    > id 0AE2D92644; Wed, 11 Feb 2004 09:55:37 -0700 (MST)
    >Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm
    >Precedence: bulk
    >List-Id: <incidents.list-id.securityfocus.com>
    >List-Post: <mailto:incidents@securityfocus.com>
    >List-Help: <mailto:incidents-help@securityfocus.com>
    >List-Unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
    >List-Subscribe: <mailto:incidents-subscribe@securityfocus.com>
    >Delivered-To: mailing list incidents@securityfocus.com
    >Delivered-To: moderator for incidents@securityfocus.com
    >Received: (qmail 22727 invoked from network); 11 Feb 2004 10:03:17 -0000
    >Message-ID: <402A5572.4040201@pa.net>
    >Date: Wed, 11 Feb 2004 11:16:50 -0500
    >From: Dennis Cheung <dennis@pa.net>
    >User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4
    >X-Accept-Language: en-us, en
    >MIME-Version: 1.0
    >To: Jason Yates <jaywhy2@comcast.net>
    >Cc: incidents@securityfocus.com
    >Subject: Re: buddylinks worm
    >References: <402953F1.6080509@comcast.net>
    >In-Reply-To: <402953F1.6080509@comcast.net>
    >Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    >Content-Transfer-Encoding: 7bit
    >X-MailScanner-Information: Please contact the ISP for more information
    >X-MailScanner-VirusCheck: Found to be clean
    >
    >Jason Yates wrote:
    >
    >> Another one of the AOL worms; this one instant messages all users on
    >> your buddy list. The message I've recieved is "check this out:
    >> http://ww.wgutv.com/osama_capture.php?bNek". The link is a fact news
    >> website telling you to download some software . Once you install the
    >> software on the page; it immediately instant messages everyone on your
    >> buddy list.
    >>
    >> The software it installs is something called buddylinks. According to
    >> buddylinks.net, Buddylinks is a "revolutionary new way for instant
    >> messenger users to instantaneously share entertaining content with
    >> their entire IM "buddy list" network all at one time". I can't make
    >> this stuff up.
    >>
    >> Jason Yates
    >>
    >> ---------------------------------------------------------------------------
    >>
    >> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
    >>
    >> Protect your network with the comprehensive security solution that
    >> integrates six applications for ease of use and lower TCO.
    >>
    >> Firewall - Virus protection - Spam protection - URL blocking - VPN
    >> - Wireless security.
    >>
    >> Download 30-day evaluation at:
    >> http://www.astaro.com/php/contact/securityfocus.php
    >> ----------------------------------------------------------------------------
    >>
    >>
    >A friend has gotten infected with this "revolutionary" product. Has
    >anyone tried removing this thing manually before? The buddylinks site
    >has a unsubscribe feature that claims to work, but at the moment I am
    >reluctant until I figure out what exactly this thing is.
    >
    >-Dennis
    >
    >---------------------------------------------------------------------------
    >Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
    >
    >Protect your network with the comprehensive security solution that
    >integrates six applications for ease of use and lower TCO.
    >
    >Firewall - Virus protection - Spam protection - URL blocking - VPN
    >- Wireless security.
    >
    >Download 30-day evaluation at:
    >http://www.astaro.com/php/contact/securityfocus.php
    >----------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:
    http://www.astaro.com/php/contact/securityfocus.php
    ----------------------------------------------------------------------------


  • Next message: Dan Hanson: "New article announcement: Automating Windows Patch Management: Part I"

    Relevant Pages

    • Re: buddylinks worm
      ... You agree to install this software that also ... > Spam/Virus Protection ... Software contains additional software products provided to PSD Tools by ... Updates to Software. ...
      (Incidents)
    • Re: Administrative group
      ... When you installed are you sure that you installed Exchange server? ... Messaging and Collaboration needed to be chosen. ... Did you only install the ... System Administrator program? ...
      (microsoft.public.exchange2000.information.store)
    • Attendant Console.NET ver. 3.0 Now GA
      ... New Install Wizard provides simplistic Installation & Configuration ... "Scrolling Text Messaging" allows attendant to send a message to any ... This offers the edge over competition for any BCM 3.7 or higher. ... add a Nortel "Try n Buy" LAN CTE desktop License, download and install. ...
      (comp.dcom.sys.nortel)
    • Exchange 2003 Installation Problem on Win 2003 SP1 : WMI 0xC103798
      ... Exchange Messaging and Collaboration Services of Install component task. ...
      (microsoft.public.exchange.setup)
    • Re: buddylinks worm
      ... Jason Yates wrote: ... > website telling you to download some software. ... Once you install the ... Protect your network with the comprehensive security solution that ...
      (Incidents)