Re: buddylinks worm

[Scott <upallnight42 () yahoo com>]

In-Reply-To: <402A5572.4040201 () pa net>

This is something that was already brought to my
attention.  After looking into it It looks like marketing ad program.( I don't know if it doen anything else?) 

The link being sent out as a game directs you to a web
page that prompts you to trust a install.  It looks
like its a plug-in or is needed to play the game (that
part is deceiving to most users). If you read the
license agreement it it much like gator or any other
adware.  You agree to install this software that also
offers you a service to group message everyone in you
AIM contact list just to play this game.  I don't know
if their is really a game after the install or not. I
never went that far.

Now one of the first things that happens is a message
goes out to everyone in you AIM list to play the same
game. What a way to spread, after all it comes from
someone you know and trust?? Or how well do you know
people you chat with on line that you never met????
(thats a different topic).

The uninstall from the control panel seems to work but
you have to exit the AIM messenger first. 
I'm not sure what else the install does, I was going
to reverse engineer this but after going to the site today I found the site is down.

Attached is information I sent to my users with
uninstall a license agreement copied from the company.

If anyone still has the original install I would not
mind looking at it to see if anything else was done to
the system when users installed it.

Please let me know if anything else is found out about this, I know of a rumor that it might install a Trojan horse or 
a back door but have not seen any evidence about this yet.

Scott

----------------------------------------------------
Here is part of thier aggreement I copied yesterday before the site wnet down.

"Note: This is not an actual news story. This is the prologue to a Flash
video game.

PSD TOOLS

END USER AGREEMENT AND SOFTWARE LICENSE TERMS

Services; Modifications to Your Instant Messaging Client.  The Software
provides you the opportunity to access Content for no charge. In return
for the right to access this Content, you acknowledge and agree that 
the
Software contains additional software products provided to PSD Tools by
its suppliers which will periodically deliver additional Content such 
as,
but not limited to, advertisements and promotional messages to your
Computer and programs that may alter your home page to offer you 
Content. 
In addition, the Software will interoperate with your current instant
messaging client so as to permit the automatic sending of advertising
messages originating from your Computer to your contact or “buddy” list
regarding Content offered by PSD Tools or its suppliers.   If you 
desire
to stop this activity, you may elect to stop the messages by navigating 
to
the “buddylinks.net” entry in your “Start Menu”, selecting the
“buddylinks.net Configuration” item, and unchecking the appropriate
option. You may also refer to PSD Tools’ website at
http://www.psdtools.com for an uninstaller.

Updates to Software. The Software includes an automatic update feature 
to
ensure that you have the most recently released version. You 
acknowledge
and agree that PSD Tools or third parties designated by PSD Tools may 
from
time to time provide automatic programming fixes, updates and upgrades 
to
the Software (collectively, the “Updates”).  Updates may include
installation of third party applications, through automatic electronic
dissemination and other means.  You consent to such Updates and agree 
that
the terms and conditions of this Agreement will apply to all such 
Updates.
 If you should elect not to have your software updated at any future 
time,
PSD Tools shall not be responsible for any incompatibilities that may
arise on your system and Computer.


Uninstalling the Software.  In order to uninstall the Software, you 
will
need to run the  removal executable. You can get this program by
contacting Support () PSDTools com  You may also be able to remove the
program using any of the following methods:

 Via “Add/Remove Programs”:
Click “Start”, Settings, Control Panel
Click “Add/Remove Programs”
Locate the “buddylinks.net Messaging Integration” option and click
“Remove”. Click “Yes” on the prompt.
Via a website link:
Navigate to http://www.buddylinks.net/uninstall.exe
Choose “Run” or “Open” when the download window appears.

The uninstallation process should take effect immediately though in 
rare
cases it may be necessary to restart your Instant Messaging Client or
computer."
----------------------------------------------------

> Received: (qmail 14498 invoked from network); 12 Feb 2004 16:11:21 -0000
> Received: from outgoing2.securityfocus.com (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 12 Feb 2004 16:11:21 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 0AE2D92644; Wed, 11 Feb 2004 09:55:37 -0700 (MST)
> Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <incidents.list-id.securityfocus.com>
> List-Post: <mailto:incidents () securityfocus com>
> List-Help: <mailto:incidents-help () securityfocus com>
> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:incidents-subscribe () securityfocus com>
> Delivered-To: mailing list incidents () securityfocus com
> Delivered-To: moderator for incidents () securityfocus com
> Received: (qmail 22727 invoked from network); 11 Feb 2004 10:03:17 -0000
> Message-ID: <402A5572.4040201 () pa net>
> Date: Wed, 11 Feb 2004 11:16:50 -0500
> From: Dennis Cheung <dennis () pa net>
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> To: Jason Yates <jaywhy2 () comcast net>
> Cc: incidents () securityfocus com
> Subject: Re: buddylinks worm
> References: <402953F1.6080509 () comcast net>
> In-Reply-To: <402953F1.6080509 () comcast net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
> X-MailScanner-Information: Please contact the ISP for more information
> X-MailScanner-VirusCheck: Found to be clean
>
> Jason Yates wrote:
>
> > Another one of the AOL worms; this one instant messages all users on 
> > your buddy list.  The message I've recieved is "check this out: 
> > http://ww.wgutv.com/osama_capture.php?bNek";.  The link is a fact news 
> > website telling you to download some software .  Once you install the 
> > software on the page; it immediately instant messages everyone on your 
> > buddy list.
> >
> > The software it installs is something called buddylinks.  According to 
> > buddylinks.net, Buddylinks is a "revolutionary new way for instant 
> > messenger users to instantaneously share entertaining content with 
> > their entire IM "buddy list" network all at one time".  I can't make 
> > this stuff up.
> >
> > Jason Yates
> >
> > --------------------------------------------------------------------------- 
> >
> > Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
> >
> > Protect your network with the comprehensive security solution that
> > integrates six applications for ease of use and lower TCO.
> >
> > Firewall - Virus protection - Spam protection - URL blocking - VPN
> > - Wireless security.
> >
> > Download 30-day evaluation at:
> > http://www.astaro.com/php/contact/securityfocus.php
> > ---------------------------------------------------------------------------- 
> A friend has gotten infected with this "revolutionary" product.  Has 
> anyone tried removing this thing manually before?  The buddylinks site 
> has a unsubscribe feature that claims to work, but at the moment I am 
> reluctant until I figure out what exactly this thing is.
>
> -Dennis
>
> ---------------------------------------------------------------------------
> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
> Protect your network with the comprehensive security solution that
> integrates six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.astaro.com/php/contact/securityfocus.php
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------