Slashdot Mirror
First Worm with a EULA?
ErikRed1488 writes "There is a new virtual postcard from Friend Greetings, owned by Permissioned Media that prompts you to install their software to view the card. You are then presented with a EULA granting them permission to e-mail all the Contacts in your Outlook Address Book. Those people are presented with an e-mail from you telling them they have a greeting card to pick up. So, this thing spreads like a worm, but includes a EULA that 95% of users won't take the time to read. Symantec isn't detecting this as a virus, but does have information about it on their site. In addition to the worm-like way it spreads, it also installs spyware designed to deliver ads to your computer. You also give them permission to install further software any time they want. In my opinion this is completely nasty, but it's all clearly in the EULA that you must agree to before it installs the software."
This adware/worm is a pain, we got to slog through it yesterday. Mcaffee has info on it [mcaffee.com> as well. Unlike Symantec, they actually include removal instructions (if you trust them) and their software will detect and remove it.
Quite the contrary. There is a common legal tradition in most areas of contract law that protects consumers from predatory fine print like this. You are generally not allowed to put unreasonable or unrelated clauses into a fine print of a consumer agreement. A creditor cannot put it into the fine print that they can sleep with your wife if you default. I see this kind of EULA as exactly the same type of problem and the govt should protect consumers from them.
I haven't found anything on Symantec's site on this, but I did find McAfee's page Here
;) )
p x? <extra contentremoved>
And the removal instructions
Google has a newsgroup post on the sucker
And here are some sample infection URLS for those who wish to catch the sucker or download the files for analysis:
Infect Me 1
Infect Me 2
A similar worm is described by Symantec here
It works in IE, but not Phoenix (Mozilla based browser)
You have to download the installer and the MSI file, which takes a while.
I went so far as to download the files, but didn't go past the first EULA to see the really bad one that's supposed to come during the second install, so I didn't see the text in a live install myself, just in the McAfee
writeup.
So I downloaded the Microsoft Installer SDK and decided to crack open the MSI install file. Accroding to Servant Salamander, the word "Outlook" was in "Friend Greetings.msi."
Then I decided, "To hell with it, it's in there as clear text anyway" and opened the install File with VIM. Here is the offending text:
1. Consent to E-Mail Your Contacts. As part of the installation process,
Permissioned Media will access your MicroSoft Outlook(r) Contacts list and
send an e-mail to persons on your Contacts list inviting them to download
FriendGreetings or related products. By downloading, installing,accessing
or using the FriendGreetings, you authorize Permissioned Media to access
your MicroSoft(r) Outlook(r) Contacts list and to send a personalized e-mail
message to persons on your Contact list. IF YOU DO NOT WANT US TO ACCESS
YOUR CONTACT LIST AND SEND AN E-MAIL MESSAGE TO PERSONS ON THAT LIST, DO
NOT DOWNLOAD, INSTALL, ACCESS OR USE FRIENDGREETINGS.
If anyone is interested, I'll e-mail out both EULAs. There's some rude stuff in there. (You agree to receive pop-up and pop-under ads and HTML e-mail for example)
Below is the original e-mail from Cheryl, for the sake of reference and forwarding:
--- Forwarded Message Follows-----
FYI...
It's not so much a virus as it is a potential worm. And it's an interesting one at that because it's a "permissive" worm. It banks on the fact that people install products without reading their EULAs. If you read the EULA they include, it specifically says that by accepting the EULA, you are giving them permission to send email to everyone in your MS Outlook Contact list!!!!! (I included the pics they sent us, but I'm not sure how many of you will actually see them).
Pretty fascinating, actually. And smart. Because people don't read EULAs! (Er, for Dad: EULA is "End User License Agreement" - and I'm guessing you and Steve read them because you are lawyers...
Ilene
-----Original Message-----
From: Kronos Norton AntiVirus
Sent: Friday, October 25, 2002 10:51 AM
To: All Kronos Employees
Subject: Please read about a potential virus....
Importance: High
Potential virus as a Greeting Card ~ Please be aware of this
potential threat via a web link.
Friendgreetings
iscovered on: October 24, 2002
Last Updated on: October 24, 2002 03:20:23 PM PDT
Symantec Security Response is aware of a widespread E-card which appears to have the characteristics of a worm. Security Response does not classify this as a malicious threat and as such will not detect any files associated with the E-card. The installation of software associated with the E-card requires the user's permission in order to perform it's mass-mailing capabilities. By cancelling the installation of the software, no worm-like activities will be performed. The recipient would recieve an email with the following characteristics:
Subject: %recipient% you have an E-Card from %sender%.
Message:
Greetings!
%sender% has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You
can pickup your E-Card at the FriendGreetings.com by clicking on the link below.
http://www.friendgreetings.com/pickup/pickup.as
Message:
%recipient%
I sent you a greeting card. Please pick it up.
%sender%
When the link is followed, the recipient is asked to download some software in order to view the E-card.
The installer package will require the user to accept 2 End User License Agreements in order to complete the installation. The second EULA (see below) explicitly states that by accepting the agreement the end user is authorizing the software to send an email to all contacts in the Microsoft Outlook Contacts List. The email is formatted as displayed above.
If this agreement is not accepted, the installation is not complete and the software will not send a link to the www.friendgreetings.com website via email.
"Live Free or Die." Don't like it? Then keep out of the USA
The GPL is *not* an EULA. EULAs take away what rights you have to use a program. The GPL adds them.
Additionally, last time I read the GPL, I don't recall it saying anything about e-mailing itself to everyone in my ~/.mailrc.
Alas, the strong trend today is to find contracts of adhesion enforceable, at least if the market in which the contract is presented can be said to be a competitive one (on the theory that even if you can't really bargain for the terms, you can go elsewhere; and if everyone has the same terms they must be efficient. Or at least so Judge Easterbrook tells us...) -Michael Froomkin U.Miami School of Law
I have a blog.
No! The GPL is not an EULA.
The GPL has nothing to say about how you can use the software. It places _no_ restrictions on your right to use the software or how you plan on using the software.
The GPL _does_ have something to say on how you might redistribute the software. That is it. It is a copyright notice which _grants_ you the right to redistribute after meeting a few requirements. Once again, it does not restrict what you can _do_ with the software.
The GPL is not an EULA!
The GPL does not require an end user to agree to a license before using the software. It is a copyright license. That is it. It _grants_ the abillity to copy and redistribute once certain criteria are met. The two are fundamentally different.
The EULA is a matter of contract law.
The GPL is a matter of copyright law.
Understand?
As of yesterday afternoon, Trend was classifying this as a virus, and will catch it.
I knew there was a reason I migrated us from Symantec to Trend at the office here.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
Registrant:
Permissioned Media Inc.
Sun Towers, 1st Floor, Office #39
Ave. Ricardo J. Alfaro
Panama City, El Dorado Zona 6
PA
Registrar: Dotster (http://www.dotster.com)
Domain Name: PERMISSIONEDMEDIA.COM
Created on: 18-JUL-02
Expires on: 18-JUL-07
Last Updated on: 18-JUL-02
Administrative Contact:
Alfaro, Jay alfaro@hushmail.com
Permissioned Media Inc.
Sun Towers, 1st Floor, Office #39
Ave. Ricardo J. Alfaro
Panama City, El Dorado Zona 6
PA
571-628-5535
571-628-5535
Technical Contact:
Alfaro, Jay alfaro@hushmail.com
Permissioned Media Inc.
Sun Towers, 1st Floor, Office #39
Ave. Ricardo J. Alfaro
Panama City, El Dorado Zona 6
PA
571-628-5535
571-628-5535
Ok, like I have stated in other places,
...
The EULA is a matter of contract law.
while
The GPL is a matter of copyright law
The two are fundamentally different. The EULA places _restrictions_ on what you can _do_ with the software.
The GPL _grants_ you the right to redistribute (which would normally not be there, because of copyright law) once certain criteria are met. The GPL does not impose any restrictions on what you can _do_ with the software.
In the absence of the EULA you would be allowed to do anything you saw fit with the software (short of illegal acts and within the copyright clause).
EULAs try to be contracts -- but think back to your business law class, and look at the requirements for that contract:
:)
- The parties must give the appearance that they're serious about signing a contract (one party can't be obviously joking).
- The parties must be competant (old enough, sane enough, sober enough).
- There must be consideration (both parties must gain something or force some new obligation on the other party).
- The purpose of the contract must be legal.
The third element doesn't matter if one doesn't get past the second: In your average software purchase, what does the EULA give you that you wouldn't otherwise have, or restrict the other party from doing that they otherwise could?
Now, if it's a free download, and you're only offered the download if you click through the EULA, that's an entirely different matter: there's clear consideration in that you're being allowed the download at all. On the other hand, if you purchase the software without the EULA being a condition of the purchase, unless the EULA offers some further consideration it may not be binding at all.
Another question raised: What if you aren't competant to agree to the EULA for a piece of software (due to being drunk, or insane, or a minor, etc)? Well, if the situation is such that you really have no right to use the software without agreeing to the EULA (which is likely the case with a free download conditional on clicking through the EULA, but unlikely to be the case if you purchased the software from a 3rd-party vendor who didn't make you agree to the EULA before the purchase), then you're using it illegally. If, on the other hand, you had the right to use the software even without agreeing to the EULA (say, because you purchased it from a 3rd-party vendor who didn't force you to agree to the EULA beforehand) then the EULA is invalid in any case because of the lack of consideration (unless, of course, the EULA gives you some other rights you didn't have before agreeing to it, or some obligations to the vendor which they didn't have beforehand) and you can still use the software even if you don't agree to the EULA -- and even if the EULA is legally binding (say because it obligates the software manufacturer to provide phone support which they wouldn't otherwise be obligated to provide), if you have the right to use the software without agreeing you can legally skip the EULA (say, by tricking the installer) and go your merry way -- but don't try to pretend you agreed to the EULA when calling for that phone support! That's the theory, anyhow. Before relying on it working that way in practice, talk to a real IP lawyer licensed in your jurisdiction, and hope you get a reeeal friendly judge.
Coming back to this particular case: Is sending email to everyone in your address book illegal? Probably not (though of course this may vary on your jurisdiction). Hence, is this EULA invalid due to the illegal-purpose clause? Once again, probably not.
I am a law student. Every 1st year law student(1-L) must take a class called Contracts I. I am in this course right now.
In this class we read a lot of cases. Several recent cases have arisen regarding the EULA. I used to think that if you didn't read it, the EULA was unenforceable. This idea is incorrect. As long as you have notice of the existence of the EULA, and as long as you agree to it by clicking the "OK" or "Next" button, you are bound by the terms regardless of whether you read them.
This policy is considered to be a Good Thing(tm) because it stops people from just signing contracts or accepting licenses, abusing the terms of the contract or license, and later claiming that they were unaware of the true terms of the contract license and getting off the hook. If people were allowed to do this with any contract, it would allow shady people to fundamentally undermine the concept of a contract, which is considered a Bad Thing(tm) because contracts allow relative strangers to safely do business with each other without the fear of one person scamming the other and getting away with it.
Before you gasp and scream about the unfairness of this idea, there is a remedy that courts apply to dissallow abusive contracts. Courts apply the concept of unconscionability. From
http://www.law.cornell.edu/lexicon/unconscionab
So there you have it. The average user of this program will be able to sue(assuming they can prove how they are damaged) and recover because the average user would not realize nor agree to sacrifice their right to privacy.
[Disclaimer: IANAL]
3306/tcp open mysql
Guess we know where all those email addresses are being fed into.
Might make a great project for someone to pull the login/passwd from the executable, and start force feeding that thing.
But dont let me give you any ideas.
-- Knowing too much can get you killed, but knowing who knows too much can make you rich.
And if you don't get sued, hey, free kids!
You being slashdot user #4015 and most likely a real geeky guy, let me explain that making kids for free is not very difficult.
Cum to think of it, it's more difficult NOT to make free kids.
"And like that
www .friendgreetings.com = 65.89.168.4
ARIN information:
Search results for: ! NET-65-89-168-0-1
CustName: Free Yankee
Address: 11778 Election Draper UT 84020
Country: US
RegDate: 2002-10-17
Updated: 2002-10-17
NetRange: 65.89.168.0 - 65.89.168.255
CIDR: 65.89.168.0/24
NetName: BRW-9924-FREEYANKEE
NetHandle: NET-65-89-168-0-1
Parent: NET-65-88-0-0-1
NetType: Reassigned
Comment:
RegDate: 2002-10-17
Updated: 2002-10-17
# ARIN Whois database, last updated 2002-10-24 19:05
We threw this thing on a test box and sniffed it, and decided to blackhole the entire Class C. Following the install process we noted communications with 65.89.168.4, 65.89.168.14, 12.107.125.99 (an AT&T Worldnet address, also blackholed now).
We also saw comms with 207.46.230.220, a Microsoft address; we didn't blackhole this one, figuring it might be in the mix due to certificate revocation list checking during the install or something.
would be interesting to find out who they really are first. The company is hosting out of Salt Lake City but the registration information points to Panama. International law anyone? anyone?
Registrant:
Permissioned Media Inc.
Apartado 5956
Panama City, El Dorado Zona 6
PA
Registrar: Dotster (http://www.dotster.com)
Domain Name: FRIENDGREETINGS.COM
Created on: 20-JUL-02
Expires on: 20-JUL-03
Last Updated on: 17-OCT-02
Administrative Contact:
Alfaro, Ricardo alfaro@hushmail.com
Permissioned Media Inc.
Apartado 5956
Panama City, El Dorado Zona 6
PA
571-628-5535
Technical Contact:
Alfaro, Ricardo alfaro@hushmail.com
Permissioned Media Inc.
Apartado 5956
Panama City, El Dorado Zona 6
PA
571-628-5535
I also found links to 'offshore accounts and email' services registered under his name in different Panamanian web sites.
Panama Offshore Services International, Inc.
Full Service Law Firm with an international presence, specializing in Commercial & Immigration Law. Discount retailer & wholesaler of Corporations, Foundations & Trusts. US$1000 complete package includes Corporation (or Foundation) + Bank Account. English & Spanish speaking staff.
Ave. Ricardo J. Alfaro, Sun Towers, 1st Floor, Office #39, PTY 296, PO Box 0832-2745, WTC, Panama City, Republic of Panama
E-mail: info@pos-inc.com Encrypted Email: posinc@hushmail.com
Tel (Panama): ++(507) 236-8303
Fax (Panama): ++(507) 236-7150
Toll Free Fax / Voicemail: ++(800)-716-3452
to see these results click here.
A small point regarding the validity of this
contract. No consideration has been provided by
the company. The card sent to the recipient
was generated by the program as a marketing tool.
The recipient thinks that he or she is installing
the program to read a card from a friend. Thus,
the user recieves no benefit from this contract and there is no consideration.
But more importantly, the email generated by the program to that person's contacts is intentionally misleading--thus the contract is invalid.
Second, the contract is in itself misleading. It would take very little effort to show that the company intentionally hid these clauses in a contract so standard and formulaic that a reasonable person would not be expected to read fully.
To prove this contract invalid, one would only need to prove one of those two points (both of which are obvious). Furthermore, the first point (sending bogus emails to attract victims) would not only void the EULAs but could also be the basis for clear cut criminal fraud charges.
So, to those of you who visited the site, doesn't it make sense now why this compnay would chose to operate out of Panama?
Sincerely,
Anonymous Coward