Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Worm with a EULA?

Posted by ryuzaki0 on from the first-born-child-at-risk dept.

ErikRed1488 writes "There is a new virtual postcard from Friend Greetings, owned by Permissioned Media that prompts you to install their software to view the card. You are then presented with a EULA granting them permission to e-mail all the Contacts in your Outlook Address Book. Those people are presented with an e-mail from you telling them they have a greeting card to pick up. So, this thing spreads like a worm, but includes a EULA that 95% of users won't take the time to read. Symantec isn't detecting this as a virus, but does have information about it on their site. In addition to the worm-like way it spreads, it also installs spyware designed to deliver ads to your computer. You also give them permission to install further software any time they want. In my opinion this is completely nasty, but it's all clearly in the EULA that you must agree to before it installs the software."

34 of 716 comments (clear)

  1. The First Worm Written By a Microsoft Lawyer... by stephenisu · · Score: 5, Funny

    Need I say more?

    --
    Sigs? We don't need no stinking sigs!
    1. Re:The First Worm Written By a Microsoft Lawyer... by tsg · · Score: 5, Funny

      Warning someone that you're going to do something sleezy doesn't excuse you for doing it.

      It's also common knowledge that EULA's aren't read (by gurus and newbies alike). They might as well put the warning in a locked filing cabinet stored in a disused lavatory with a sign on the door that says "beware of the leopard".

      --
      People's desire to believe they are right is much stronger than their desire to be right.
  2. Beautiful by jmd! · · Score: 5, Insightful

    Just beautiful. The more insane EULAs get, the more people will start taking a harder look at all of the ones they currently sign their souls over to.

    This can only be good for Open Source.

  3. No surprise by silhouette · · Score: 5, Insightful

    This may be a cynical thing to say, but I think it was only a matter of time before some shady software like this was made.

    I would remark "How could the makers of such a thing sleep at night?" - but I already know the answer: they sleep just fine. People like that don't believe that they're doing anything wrong.

    --
    Experts agree: everything is fine.
  4. This may be the type of thing we need by Zebbers · · Score: 5, Insightful

    to help force the govt to evaluate the merits of EULAs. While it can be argued..."you shouldve read the license before you agreed"

    I would rather say "There shouldn't exist any such licensing format. And we as the people should not allow it to ever exist."

    1. Re:This may be the type of thing we need by IndependentVik · · Score: 5, Funny

      Agreed, EULAs need some regulation. This is like having a clause in your apartment lease that says your landlord can break into your place once a week just to kick you in the balls.

      --
      I'd suggest you don't use Slashdot as your only news source, or you will suffer permanent brain damage.
  5. That's rich... by twoslice · · Score: 5, Funny

    The company is called permissionedmedia! Well, they did ask for permission first...

    --

    From excellent karma to terible karma with a single +5 funny post...
  6. GPL by Skyshadow · · Score: 5, Interesting
    And they said the GPL was like a virus...

    I think this should actually shield the virus-writer from any sort of prosecution, shouldn't it? I suppose you could do all sorts of nasty stuff and be completely protected so long as you could prove the user clicked "ok" to the license.

    Maybe this will be the tool which turns the tide on the EULA.

    RIP: Senator Paul Wellstone.

    --
    Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
  7. complete control by Haxx · · Score: 5, Funny


    I am workin on a EULA that gives me power of attorney over for the user.

  8. subterfuge by eric6 · · Score: 5, Funny

    for kicks, we (and by "we", I mean somebody else) need to have an EULA that contains and absurd clause (firstborn child upon installation), then try to collect. It'd be like challenging the concept of EULAs, but from the other side. Try real hard to get sued.

    --

    --
    fight global cooling

  9. I was reprimanded... by abh · · Score: 5, Funny

    I got in trouble for saying the following to one of our users (after he installed it, agreeing to all of the nasty terms):

    What the fuck were you thinking?

    Apparently that's not a valid response, at least according to my boss.

    1. Re:I was reprimanded... by Lemmy+Caution · · Score: 5, Funny
      Your boss is correct, and if you were working for me, I'd also reprimand you.

      The correct response is: What the fuck were you thinking, mister glue-sniffing moron?

    2. Re:I was reprimanded... by stefanlasiewski · · Score: 5, Funny

      Finally, a good use for Clippy!

      "I see you're trying to email a program to every member of your Outlook Address book. DON'T DO THAT YOU FUCKING MORON!"

      --
      "Can of worms? The can is open... the worms are everywhere."
  10. This should be regulated by Dr.Luke · · Score: 5, Insightful

    Eulas like these should be regulated by the government. It is pretty common in contract law that unreasonable provisions are not enforceable and illegal. Like for example a credit card agreement cannot mention it deep in the fineprint that if you default they own your house or are allowed to enter your home and steal your pants. This kind of EULAs are a consumer protection issue.

  11. Read the EULAs then by kenp2002 · · Score: 5, Funny

    Literacy is important, no it seems we cannot afford to skip reading the EULAs. I have seen some funny stuff thrown in EULAS including:

    - the right to borrow your car at any time -
    - the right to sleep with your spouse at our discretion -
    - the right to submit and enforce decorating standards in your home -
    - the right to reduce you and your pets to a dissarrayed, sub-atomic goo-

    --
    -=[ Who Is John Galt? ]=-
  12. Legal vs. Ethical by laetus · · Score: 5, Insightful

    This to me is a primary example of the sometimes dichtomous nature between was is legal and what is ethical.

    Is what these business professionals done legal? Probably.

    Is it ethical? Absolutely not. Otherwise, why hide the email's worm nature in the EULA?

    I know there are those that are going to say, "Hey, you had the opportunity to read the EULA, you didn't, and you clicked it anyway."

    But caveat emptor, though a fact of life, does not exempt the screwer from his reponsibility of what he did to the screwee.

    May be legal. But in my mind, definitely not ethical.

    --

    "We're sorry, but the website you're trying to reach has been disconnected."
  13. Who controls your machine? by masonbrown · · Score: 5, Interesting

    So what happens when two different EULA's claim 100% control of your machine?

  14. New geek mantra by abh · · Score: 5, Funny

    RTFEULA

  15. Yes, a worm is a problem by Lover's+Arrival,+The · · Score: 5, Insightful
    But this company is still within the letter of the law, if not within the bounds of morality.

    Some may scream that the law should enforce morality, but then you must wonder "Who's Morality?".

    I read a very interesting book recently, called Human Action, by a lovely looking grey haired man called Ludwig von Mises. It was left by my old boyfriend in the bathroom, and I picked it up and smelled it unhappily one evening, but before long found myself readin Mises' interesting take on the fundamental sovereignty of man.

    Mises would warn us all against enforcing a common morality, for that is a sure way to tyranny, in the end. This company should not be legislated against. We should instead encourage people to read EULAs and to take responsibility over themselves, over their own bodies, over their computers. Anything else is slavery to government.

    I thought I had left slavery to the state behind in my native Scotland. As a Catholic girl, I understand only too well the attractions of worshipping an idol like the state. But we are better to resist laws that seem fair and moral, and instead trust in common deceny and responsibility.

    Thanks,
    Margot. XXX

    --

    --Anticipation of a New Lover's Arrival, The

  16. Admit it by anthony_dipierro · · Score: 5, Insightful

    How many of you have read the Slashdot EULA?

  17. Write up I sent to the office by doublem · · Score: 5, Informative

    I haven't found anything on Symantec's site on this, but I did find McAfee's page Here

    And the removal instructions

    Google has a newsgroup post on the sucker

    And here are some sample infection URLS for those who wish to catch the sucker or download the files for analysis:

    Infect Me 1

    Infect Me 2

    A similar worm is described by Symantec here

    It works in IE, but not Phoenix (Mozilla based browser)

    You have to download the installer and the MSI file, which takes a while.

    I went so far as to download the files, but didn't go past the first EULA to see the really bad one that's supposed to come during the second install, so I didn't see the text in a live install myself, just in the McAfee
    writeup.

    So I downloaded the Microsoft Installer SDK and decided to crack open the MSI install file. Accroding to Servant Salamander, the word "Outlook" was in "Friend Greetings.msi."

    Then I decided, "To hell with it, it's in there as clear text anyway" and opened the install File with VIM. Here is the offending text:

    1. Consent to E-Mail Your Contacts. As part of the installation process,
    Permissioned Media will access your MicroSoft Outlook(r) Contacts list and
    send an e-mail to persons on your Contacts list inviting them to download
    FriendGreetings or related products. By downloading, installing,accessing
    or using the FriendGreetings, you authorize Permissioned Media to access
    your MicroSoft(r) Outlook(r) Contacts list and to send a personalized e-mail
    message to persons on your Contact list. IF YOU DO NOT WANT US TO ACCESS
    YOUR CONTACT LIST AND SEND AN E-MAIL MESSAGE TO PERSONS ON THAT LIST, DO
    NOT DOWNLOAD, INSTALL, ACCESS OR USE FRIENDGREETINGS.

    If anyone is interested, I'll e-mail out both EULAs. There's some rude stuff in there. (You agree to receive pop-up and pop-under ads and HTML e-mail for example)

    Below is the original e-mail from Cheryl, for the sake of reference and forwarding:

    --- Forwarded Message Follows-----
    FYI...

    It's not so much a virus as it is a potential worm. And it's an interesting one at that because it's a "permissive" worm. It banks on the fact that people install products without reading their EULAs. If you read the EULA they include, it specifically says that by accepting the EULA, you are giving them permission to send email to everyone in your MS Outlook Contact list!!!!! (I included the pics they sent us, but I'm not sure how many of you will actually see them).

    Pretty fascinating, actually. And smart. Because people don't read EULAs! (Er, for Dad: EULA is "End User License Agreement" - and I'm guessing you and Steve read them because you are lawyers... ;) )

    Ilene

    -----Original Message-----
    From: Kronos Norton AntiVirus
    Sent: Friday, October 25, 2002 10:51 AM
    To: All Kronos Employees
    Subject: Please read about a potential virus....
    Importance: High

    Potential virus as a Greeting Card ~ Please be aware of this
    potential threat via a web link.

    Friendgreetings

    iscovered on: October 24, 2002
    Last Updated on: October 24, 2002 03:20:23 PM PDT
    Symantec Security Response is aware of a widespread E-card which appears to have the characteristics of a worm. Security Response does not classify this as a malicious threat and as such will not detect any files associated with the E-card. The installation of software associated with the E-card requires the user's permission in order to perform it's mass-mailing capabilities. By cancelling the installation of the software, no worm-like activities will be performed. The recipient would recieve an email with the following characteristics:

    Subject: %recipient% you have an E-Card from %sender%.
    Message:
    Greetings!

    %sender% has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You
    can pickup your E-Card at the FriendGreetings.com by clicking on the link below.

    http://www.friendgreetings.com/pickup/pickup.asp x? <extra contentremoved>

    Message:
    %recipient%
    I sent you a greeting card. Please pick it up.
    %sender%

    When the link is followed, the recipient is asked to download some software in order to view the E-card.

    The installer package will require the user to accept 2 End User License Agreements in order to complete the installation. The second EULA (see below) explicitly states that by accepting the agreement the end user is authorizing the software to send an email to all contacts in the Microsoft Outlook Contacts List. The email is formatted as displayed above.

    If this agreement is not accepted, the installation is not complete and the software will not send a link to the www.friendgreetings.com website via email.

    --
    "Live Free or Die." Don't like it? Then keep out of the USA
    1. Re:Write up I sent to the office by caferace · · Score: 5, Funny
      Interestingly enough, their mailing address is in Panama City, Panama while their fax machine is in Northern Virginia.

      That's a long way to walk to pick up a fax. ;)

  18. reminds me of a spam i got a while back by Khopesh · · Score: 5, Interesting

    i got an email a while ago (during the .com bubble) telling me that i got that email because somebody was romantically interested in me (i don't use dating services of any sort, online or not).

    basically, here's the scheme:
    a person likes another, but is too shy to ask him/her. this site allows a way to anonymously email that person. the message essentially says "guess who" ...literally.

    i was expected to guess the admirer by giving the site every email i could think of that might be the admirer. if there's a match, each party is informed. for all those non-hits, an email identical to the first was sent out; spam.

    i happen to use unique email addresses and handed this address to only four people, two of whom were female, so i knew it was one of them or a friend ... but the notable thing is that i started getting TONS of spam at that address (>20emails/day)

    this type of ponzi-style scheme with unforseen problems seems to be getting popular now; EULAs often take complete advantage: people blindly give permission to have third-party software downloaded and installed, to become the source of spamming and/or propogation, or to allow use of spyware.

    --
    Use my userscript to add story images to Slashdot. There's no going back.
  19. Re:Read the Illegal Art EULAs then by Hell+O'World · · Score: 5, Funny

    Have you seen This?

  20. Re:For perspective... by sgtpudding · · Score: 5, Insightful

    speaking of lawyers... are eula's treated like contracts, legally speaking? if so (and i'm pulling from a business law class from several years ago), illegal or unethical points of a contract are null and unenforcable by default, regardless of what you sign. i.e. - if you sign a contract to mow my lawn, and it states that if you cut down my roses, i get to kill your firstborn in a satanic ritual - well, that's just not enforcable.

    too bad online legislation moves so slowly... i think i'm going to register for every spam list i can with my representatives' email addresses, and see if that gets things moving along... umm.. just kidding, secret service guy reading this over my shoulder.

    a

  21. Anyone have a kid? by nick_davison · · Score: 5, Interesting
    I Am Not A Sentient Being but...
    • Under US law, storing personally identifiable information about children is [largely] illegal.
    • The EULA, as far as I can tell, makes NO mention about this product not being allowed for under 13s.
    • With its infection (uh, I mean, transmission) mechanism, it makes no attempt to discover the age of the user before beginning to log their personal information.
    So, as soon as you discover your child has installed this program, sue them for failing to make any attempt to avoid violating their rights. Their EULA get out clauses don't work either as, being a child, they couldn't legally agree to the EULA anyway.

    Hopefully it'll spread better than they ever hoped. A class action lawsuit for every child in America would probably make a fairly clear point to anyone else trying this.

  22. Problem Solved. by Jade+E.+2 · · Score: 5, Funny
    The worm has been completely stopped (at least for the moment) because their server is slashdotted to hell.

    Who knew reading /. could be a public service?

  23. Thank god for Trend Micro by unicorn · · Score: 5, Informative

    As of yesterday afternoon, Trend was classifying this as a virus, and will catch it.

    I knew there was a reason I migrated us from Symantec to Trend at the office here.

    --
    "Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
  24. Re:what if it also installed it's source? by manyoso · · Score: 5, Informative

    Ok, like I have stated in other places,

    The EULA is a matter of contract law.

    while ...

    The GPL is a matter of copyright law

    The two are fundamentally different. The EULA places _restrictions_ on what you can _do_ with the software.

    The GPL _grants_ you the right to redistribute (which would normally not be there, because of copyright law) once certain criteria are met. The GPL does not impose any restrictions on what you can _do_ with the software.

    In the absence of the EULA you would be allowed to do anything you saw fit with the software (short of illegal acts and within the copyright clause).

  25. Re:For perspective... by cduffy · · Score: 5, Informative

    EULAs try to be contracts -- but think back to your business law class, and look at the requirements for that contract:

    - The parties must give the appearance that they're serious about signing a contract (one party can't be obviously joking).

    - The parties must be competant (old enough, sane enough, sober enough).

    - There must be consideration (both parties must gain something or force some new obligation on the other party).

    - The purpose of the contract must be legal.

    The third element doesn't matter if one doesn't get past the second: In your average software purchase, what does the EULA give you that you wouldn't otherwise have, or restrict the other party from doing that they otherwise could?

    Now, if it's a free download, and you're only offered the download if you click through the EULA, that's an entirely different matter: there's clear consideration in that you're being allowed the download at all. On the other hand, if you purchase the software without the EULA being a condition of the purchase, unless the EULA offers some further consideration it may not be binding at all.

    Another question raised: What if you aren't competant to agree to the EULA for a piece of software (due to being drunk, or insane, or a minor, etc)? Well, if the situation is such that you really have no right to use the software without agreeing to the EULA (which is likely the case with a free download conditional on clicking through the EULA, but unlikely to be the case if you purchased the software from a 3rd-party vendor who didn't make you agree to the EULA before the purchase), then you're using it illegally. If, on the other hand, you had the right to use the software even without agreeing to the EULA (say, because you purchased it from a 3rd-party vendor who didn't force you to agree to the EULA beforehand) then the EULA is invalid in any case because of the lack of consideration (unless, of course, the EULA gives you some other rights you didn't have before agreeing to it, or some obligations to the vendor which they didn't have beforehand) and you can still use the software even if you don't agree to the EULA -- and even if the EULA is legally binding (say because it obligates the software manufacturer to provide phone support which they wouldn't otherwise be obligated to provide), if you have the right to use the software without agreeing you can legally skip the EULA (say, by tricking the installer) and go your merry way -- but don't try to pretend you agreed to the EULA when calling for that phone support! That's the theory, anyhow. Before relying on it working that way in practice, talk to a real IP lawyer licensed in your jurisdiction, and hope you get a reeeal friendly judge. :)

    Coming back to this particular case: Is sending email to everyone in your address book illegal? Probably not (though of course this may vary on your jurisdiction). Hence, is this EULA invalid due to the illegal-purpose clause? Once again, probably not.

  26. They are not the only ones... by TeddyR · · Score: 5, Interesting

    The one that I loathe is the "hotbar" IE/outlook menu customiser (http://www.hotbar.com) which allows someone that has hotbar to send a card to a friend... but what the card does is download the hotbar and install it on the unknowning friends system...

    It also contains some social engineering.. "Upgrade outlook - add COLOR to your Emails" link...

    bah..

    just had to remove these from about a gazillion corp machines... and the virus scanners dont see it as a virus...

    even though it KILLS the systems efficency....

    --

    --
    Time is on my side
  27. Too late to the party, but... by Anthony+Boyd · · Score: 5, Interesting

    ...okay, so no one will read this at this late point, but for any and all software developers who are hunting for a useful product to build, why not create an EULA-distiller? Let it run in the background, and watch for installations. When it sees an EULA appear, it can display 2 or 3 bullet points that succinctly explain what the hell all the legal text means.

    To get really tricky, you could create a Web site that allows users to upload the text of each EULA, and a distilled summary. Perhaps other people could even vote on the most accurate, most understandable summaries. Then your app could be constantly up-to-date. Perhaps by doing this, people who blindly click through these things will be made aware of what the real consequences will be.

    --
    My Greasemonkey scripts for Digg &
  28. Too hard on Symantec? by jasonditz · · Score: 5, Insightful

    It seems like a lot of you guys are really down on Symantec and McAfee for not filtering this with their AntiVirus software, but consider this.

    By clicking "I agree" on the EULA you are telling your computer "I want to do X". If you tell your computer you want to do X and Symantec's software tells your computer "he can't" how is that any different from all the DRM crap like Paladium?

    I know the intention in this case would be to protect the user, but then again isn't that the tack that Microsoft is taking as well?

  29. New kind of LAN party... by Keighvin · · Score: 5, Funny

    To invalidate all of those pesky EULA's through points 1 and 2 (be serious and sober) get together with friends and thoroughly wasted before installing the worst offenders. If the software actually makes it onto the computer it's a nice bonus, otherwise it's the typical plus of a keg party.

    Problem solved, you were boisterously drunk at the time of install.

    --
    Any spoon would be too big.