Is this a Virus or just really sleazy advertising?
October 25, 2002 2:26 PM   Subscribe

Viral marketing at its worse, but if it's spelled out in the EULA, then it's the fault of anyone who doesn't read it carefully. People have become altogether too glib about agreeing to whatever a website or software installer requests of them.
posted by Dreama at 2:38 PM on October 25, 2002

This might make a good test case of whether "clickwrap" EULAs are legitimate. If nobody treats them like a paper contract, why should the law?
posted by Mark Doner at 2:42 PM on October 25, 2002

Is there a good utility or way to monitor what data is going outbound and to where and to alert when somthing seems suspicious?
posted by stbalbach at 2:49 PM on October 25, 2002

Holy shit, that could bring our company's Exchange infrastructure to it's knees. Virus.
posted by machaus at 2:58 PM on October 25, 2002

if EULA's are contracts, does that mean I need a constant witness to ensure that I'm not drunk, a minor, or legally insane (not of sound mind) when I click that 'accept' button?
posted by dabitch at 2:58 PM on October 25, 2002

Technically not a virus since they do warn you and tell you in fine print what is happening - but very very sleazy. Also really a grey area as far as privacy is concerned - should a greeting card retrieval site be allowed to access someone's address book when the "permission" granted is likely very murky to the average user?
Hopefully mail admins and the virus definition will punish these scumbags by blocking all access by their apps.
Is there a good utility or way to monitor what data is going outbound and to where and to alert when something seems suspicious?
ZoneAlarm is good at this for a freeware app. I don't know if it would help in this case since it would just look like your mail client was running. AdAware is is fine little free app for detecting many types of spyware. You just need to remember to keep the definitions updated, as with an antivirus programme.
As long as the majority of people keep using Micro$oft products, the malicious and the marketers of the world will find ways to exploit them. The company has to come up with better security controls (i.e. - some sort of warning if an app is trying to access the address book) - or else hopefully the market will punish them eventually for their failures.
posted by sixdifferentways at 3:09 PM on October 25, 2002

Seriously, who can honestly say that they read the full EULA for every bit of software they install? I'm sure there are some odd people out there who do so, but I would be surprised if there were any Mefiers out there among them.

This sort of thing is exactly the reason I switched to Linux for all my home internet access. While the same sort of social engineering could work just the same, in practice, EULA's tend not to be an issue when you're used to installing free software.
posted by salmacis at 4:14 PM on October 25, 2002

Definitely a virus, because as pointed out above this would play havoc with a company's system. Our administrator warned everyone about it today, with the stern admonition (as always) to remember to never open links in email.
posted by yhbc at 4:17 PM on October 25, 2002

The thing is, this Outlook crap has been going on for years now. At any time, Microsoft could have updated Outlook to notify the user when a new application/virus attempts to use its automation interface for the first time, displaying information about who the mail is going to be sent to and so forth and giving the user the opportunity to refuse it. That MS hasn't bothered to do this or anything similar is a pretty fair indication of how seriously they take security.
posted by George_Spiggott at 4:19 PM on October 25, 2002

I don't care whether they inform you in the EULA or not - its still a virus. Just because I tell you that I'm going to mug you before I do it doesn't make the mugging legal.
posted by schlyer at 4:20 PM on October 25, 2002

Just because I tell you that I'm going to mug you before I do it doesn't make the mugging legal.

True, but if you came up to me and asked me to sign a contract giving you my explicit permission to mug me (despite how long or easily clickable it was), I'd have difficulty trying to get you locked up.

That said, I think virus. My home PC contracted sircam32 just under a year ago, which behaves exactly the same way this email does. Nasty.
posted by armoured-ant at 4:38 PM on October 25, 2002

By the way, this is at least the third FPP today that also appears on Slashdot. One day, it really will be true that if you've read one weblog, you've read them all.
posted by George_Spiggott at 4:54 PM on October 25, 2002

What is this "Slashdot" thing people keep talking about, anyway? Is it anything like this "Plastic" I also occasionally hear about? ;-)
posted by yhbc at 5:14 PM on October 25, 2002

Systems that have installed the Outlook Extended E-mail Security Patch (available in different forms for different editions of the software) should be able to block this from being installed, or once instlaled, from sending out its mail. Of course end-users can bypass this security in certain ways if they're sufficiently smart or at the very least sufficiently stubborn. But it isn't true that Outlook "hasn't been patched" to deal with this -- it is only true that the patch hasn't been installed on many computers.
posted by dhartung at 5:18 PM on October 25, 2002

Is there a good utility or way to monitor what data is going outbound and to where and to alert when something seems suspicious?

Black Ice Defender lets you do this. When they first came out with this feature a few months ago, I tried it and then quickly turned it off; I just found it too annoying to "teach" it about all the legit stuff I have that tries to connect to the Internet. But they might've improved it since then.
posted by agaffin at 5:48 PM on October 25, 2002

We're treating it like a virus at my company: blocking access to that domain, using our e-mail content filters to search for the text, and applying updated defs from our antivirus provider. One of my users yesterday came within a click of launching it out to the 6500 or so people that work for my employer. It may be harmless, but it can wreak havoc on corporate e-mail once it starts bouncing around.
posted by briank at 5:52 PM on October 25, 2002

I tell everyone who will listen that they should use an old mail client. Netscape Communicator 4.6 has shielded me from these viruses which read the address book. I tried upgrading to 4.7, but it wasn't as stable. Newfangled, immature technology :-)

Anyway, I don't see the point of having a brand new email client. HTML/JavaScript/Java change, and it's nice to have a new browser that works with most web sites, but email is a pretty mature technology.
posted by Triplanetary at 5:56 PM on October 25, 2002

We're treating it like a virus at my company

It isn't a virus, and it won't start bouncing around. According to the McAfee and Trend descriptions, it sends email but it doesn't propagate itself and infect other computers that wayl. So you really don't have much to worry about.

And you don't have to settle for an old email client: Eudora doesn't respond to these and it's pretty up-to-date.
posted by George_Spiggott at 6:15 PM on October 25, 2002

By the way, this is at least the third FPP today that also appears on Slashdot.

George, did you steal your comment from the recent Copied-From-Slashdot FPP debate at Plastic? You should really credit your sources...
posted by spotmeter at 6:59 PM on October 25, 2002

Pocomail: Excellent junkmail filtering, powerful scripting that cannot be triggered without explicit permission from the user, some excellent features not available anywhere else.

This is a virus, but it is one that should not be possible. Address books should not be available to anything with message level permissions, or to outside programs without explicit permission.
posted by Nothing at 8:17 PM on October 25, 2002

George, did you steal your comment from the recent Copied-From-Slashdot FPP debate at Plastic?

No, those topics just looked a bit slashdotty so I went and checked.
posted by George_Spiggott at 12:13 AM on October 26, 2002

"Is there a good utility or way to monitor what data is going outbound and to where and to alert when something seems suspicious?"

ZoneAlarm.
However, when you set up ZoneAlarm, one of the first things that you would do is give Outlook permission to send and recieve messages, which is what it is supposed to do.
Then you would give permission to this malware to use Outlook, so no program can protect you from yourself.

I classify this as a virus that uses social engineering as a delivery device.
Whoever runs this company should have their kneecaps busted.
I'm not joking.
posted by 2sheets at 11:00 AM on October 26, 2002

Let me get this straight: you give it explicit permission to do what it does, and you have to override your browser's security settings specifically for the purpose of letting it install itself. It then emails everyone you know to tell them how incredibly clueful you are. Hm. Maybe that's not such a bad thing.

And again, it doesn't propagate by mail, so recipients of that mail are not going to have any problems, and it does not meet the definition of a virus.

The people who make this thing are effectively spammers, that's all. Admittedly that's pretty bad, but the worst spammers take over machines without permission. These guys actually ask permission.
posted by George_Spiggott at 11:15 AM on October 26, 2002

>At any time, Microsoft could have updated Outlook to notify >the user when a new application/virus attempts to use its >automation interface for the first time

MS has did this with an outlook 2000 security patch at least a year ago. I installed it on a test machine when it first came out and found it a bit restrictive, but it did warn you if any app was accessing Outlook's address book or trying to use some of its APIs. In the real world that translates into an extra click or two for palm users.

I think the larger problem here is allowing any application access from the web. I wonder how many copies of Gator and Comet Cursor there would be if users had to actually stop and download the app and do an install as opposed to just clicking yes on some active-x dialogue box.
posted by skallas at 1:31 PM on October 26, 2002

It is not a "virus" as it doesn't replicate. There is an existing term to describe software which has deleterious effects the user is probably not aware of: a Trojan.
posted by majick at 7:36 AM on October 28, 2002