Security Incidents mailing list archives
Re: buddylinks worm
From: Scott <upallnight42 () yahoo com>
Date: 12 Feb 2004 19:03:05 -0000
In-Reply-To: <402A5572.4040201 () pa net> This is something that was already brought to my attention. After looking into it It looks like marketing ad program.( I don't know if it doen anything else?) The link being sent out as a game directs you to a web page that prompts you to trust a install. It looks like its a plug-in or is needed to play the game (that part is deceiving to most users). If you read the license agreement it it much like gator or any other adware. You agree to install this software that also offers you a service to group message everyone in you AIM contact list just to play this game. I don't know if their is really a game after the install or not. I never went that far. Now one of the first things that happens is a message goes out to everyone in you AIM list to play the same game. What a way to spread, after all it comes from someone you know and trust?? Or how well do you know people you chat with on line that you never met???? (thats a different topic). The uninstall from the control panel seems to work but you have to exit the AIM messenger first. I'm not sure what else the install does, I was going to reverse engineer this but after going to the site today I found the site is down. Attached is information I sent to my users with uninstall a license agreement copied from the company. If anyone still has the original install I would not mind looking at it to see if anything else was done to the system when users installed it. Please let me know if anything else is found out about this, I know of a rumor that it might install a Trojan horse or a back door but have not seen any evidence about this yet. Scott ---------------------------------------------------- Here is part of thier aggreement I copied yesterday before the site wnet down. "Note: This is not an actual news story. This is the prologue to a Flash video game. PSD TOOLS END USER AGREEMENT AND SOFTWARE LICENSE TERMS Services; Modifications to Your Instant Messaging Client. The Software provides you the opportunity to access Content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your Computer and programs that may alter your home page to offer you Content. In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or buddy list regarding Content offered by PSD Tools or its suppliers. If you desire to stop this activity, you may elect to stop the messages by navigating to the buddylinks.net entry in your Start Menu, selecting the buddylinks.net Configuration item, and unchecking the appropriate option. You may also refer to PSD Tools website at http://www.psdtools.com for an uninstaller. Updates to Software. The Software includes an automatic update feature to ensure that you have the most recently released version. You acknowledge and agree that PSD Tools or third parties designated by PSD Tools may from time to time provide automatic programming fixes, updates and upgrades to the Software (collectively, the Updates). Updates may include installation of third party applications, through automatic electronic dissemination and other means. You consent to such Updates and agree that the terms and conditions of this Agreement will apply to all such Updates. If you should elect not to have your software updated at any future time, PSD Tools shall not be responsible for any incompatibilities that may arise on your system and Computer. Uninstalling the Software. In order to uninstall the Software, you will need to run the removal executable. You can get this program by contacting Support () PSDTools com You may also be able to remove the program using any of the following methods: Via Add/Remove Programs: Click Start, Settings, Control Panel Click Add/Remove Programs Locate the buddylinks.net Messaging Integration option and click Remove. Click Yes on the prompt. Via a website link: Navigate to http://www.buddylinks.net/uninstall.exe Choose Run or Open when the download window appears. The uninstallation process should take effect immediately though in rare cases it may be necessary to restart your Instant Messaging Client or computer." ----------------------------------------------------
Received: (qmail 14498 invoked from network); 12 Feb 2004 16:11:21 -0000 Received: from outgoing2.securityfocus.com (205.206.231.26) by mail.securityfocus.com with SMTP; 12 Feb 2004 16:11:21 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id 0AE2D92644; Wed, 11 Feb 2004 09:55:37 -0700 (MST) Mailing-List: contact incidents-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <incidents.list-id.securityfocus.com> List-Post: <mailto:incidents () securityfocus com> List-Help: <mailto:incidents-help () securityfocus com> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com> List-Subscribe: <mailto:incidents-subscribe () securityfocus com> Delivered-To: mailing list incidents () securityfocus com Delivered-To: moderator for incidents () securityfocus com Received: (qmail 22727 invoked from network); 11 Feb 2004 10:03:17 -0000 Message-ID: <402A5572.4040201 () pa net> Date: Wed, 11 Feb 2004 11:16:50 -0500 From: Dennis Cheung <dennis () pa net> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jason Yates <jaywhy2 () comcast net> Cc: incidents () securityfocus com Subject: Re: buddylinks worm References: <402953F1.6080509 () comcast net> In-Reply-To: <402953F1.6080509 () comcast net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner-Information: Please contact the ISP for more information X-MailScanner-VirusCheck: Found to be clean Jason Yates wrote:Another one of the AOL worms; this one instant messages all users on your buddy list. The message I've recieved is "check this out: http://ww.wgutv.com/osama_capture.php?bNek". The link is a fact news website telling you to download some software . Once you install the software on the page; it immediately instant messages everyone on your buddy list. The software it installs is something called buddylinks. According to buddylinks.net, Buddylinks is a "revolutionary new way for instant messenger users to instantaneously share entertaining content with their entire IM "buddy list" network all at one time". I can't make this stuff up. Jason Yates --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------A friend has gotten infected with this "revolutionary" product. Has anyone tried removing this thing manually before? The buddylinks site has a unsubscribe feature that claims to work, but at the moment I am reluctant until I figure out what exactly this thing is. -Dennis --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- buddylinks worm Jason Yates (Feb 10)
- Re: buddylinks worm Dennis Cheung (Feb 12)
- Re: buddylinks worm falcon (Feb 12)
- Re: buddylinks worm Eric Trager (Feb 12)
- Re: buddylinks worm Mark Coleman (Feb 12)
- Re: buddylinks worm Alexander Kiwerski (Feb 13)
- <Possible follow-ups>
- RE: buddylinks worm Jeremy Junginger (Feb 10)
- Re: buddylinks worm Jason Yates (Feb 10)
- Re: buddylinks worm Clint Bodungen (Feb 12)
- Re: buddylinks worm Jason Yates (Feb 10)
- Re: buddylinks worm upallnight42 (Feb 12)
- Re: buddylinks worm Scott (Feb 12)
- Re: buddylinks worm Access Denied (Feb 18)
- Re: buddylinks worm Dennis Cheung (Feb 12)