image: ecard trojan horse
Users who try to view the e-card are warned they must install new software and told in small print of the End User License Agreement that the program will access the installer’s address book.
By
msnbc.com

Net users continue to complain about a greeting card which is making the rounds that behaves much like a computer virus. And the firm that’s spreading the self-promoting message has apparently widened its distribution efforts. On Tuesday, anti-virus researcher MessageLabs revealed that the tricky e-cards are now being distributed at a new Web site, Cool-Downloads.com, which is registered in Panama.

IT’S PART SPAM, part advertisement, part computer virus, part e-greeting card — but a complete nuisance. Anti-virus providers are hearing from their customers about a suspicious e-mail that purports to be a harmless electronic greeting card. But trying to pick up the card has severe consequences: a copy of the e-card e-mail is sent to everyone in the recipient’s Outlook e-mail address book, similar to the worm-like behavior of the Melissa virus or the LoveBug.

(CORRECTION: An earlier version of this story said users who visited Friendgreeting.com were directed to porn sites. The Friendgreeeting software generates pop-up ads, but they are not for pornographic sites, according to Symantec Corp. Another controversial self-promoting program hiding as an e-card, called Cytron, was advertised through a set of spam mails recently that also purported to offer an electronic greeting card. Net users who try to view that e-card are secretly induced to install a the Cytron program which later pushes pop-up pornography ads at the user.)

The “Friendgreeting” e-card is not spreading as quickly as a fast-running computer virus, but it’s clearly hitting Internet users, and several have complained to MSNBC.com. Symantec Corp. now says the e-cards’ distribution rate is “high.” Trend Micro indicates it’s received almost 300 complaints, about three times as many as it had received last Friday, when reports of the e-card first surfaced.

Viewing this new kind of e-card, which requires installation of spam-generating software, means you are likely to pester friends, family, and co-workers with e-mail and inadvertently send them advertisements for Permission Media Inc, the firm that’s apparently behind the effort.

The e-card arrives with a harmless-sounding, personalized subject line: ”(Recipient) you have an e-card from (sender).”

The message includes another personalized greeting, ”(Recipient) I sent you a greeting card. Please pick it up.”

In its original form, the e-mail includes a simple link to Friendgreetings.com; now, a newer version points to Cool-Downloads.com or Cool-Downloads.net.

The domain is registered to Permissioned Media Inc, which lists Panama City, Panama as its address. The phone number included in the registration doesn’t work. Cool-Downloads.com shares the same registration information.

Both might sound to an unwitting Internet user like a normal electronic greeting card Web site. But users who click on the link and agree to install the e-card software find their computer is hijacked and used to send out similar greeting card e-mails to everyone in the recipient’s Outlook address book.

The e-greeting has been making the rounds for at least a week, but complaints started pouring in to anti-virus companies Thursday, and most issued some kind of warning late in the day.

“We’ve gotten a few hundred calls over the last two days,” said Chris Wraight, technology consultant for Sophos. Trend Micro indicated it had received reports of 90 infections so far.

IS IT A VIRUS?

Anti-virus firms aren’t quite sure what to call the program, or what to do about it. Users who try to view the greeting card are warned that they must install new software and told in small print of the End User License Agreement that the program will access the installer’s e-mail address book. As a result, some firms have decided not to treat the program like a virus. Sophos, for example, issued a warning Thursday, but decided not to disable the program with its anti-virus software. Symantec Corp., on the other hand, has decided to include the program in its virus definition files and prevents it from running.

Some apparently agree with the idea that Net users should be responsible for reading End User License Agreements.

“I’m not sure why you would label this ‘a very underhanded marketing practice’ when the EULA clearly states what they will do and the user had to agree *twice* in order for it to work. Seems to me to be very upfront and above board,” wrote Paul Schmehl, a virus expert at the University of Texas at Dallas. “It simply takes advantage of the tendency of many people to not read contracts before they agree to them, but you couldn’t argue that you were not clearly informed.”

THE DEEPER PROBLEM OF SPAM MARKETING

Either way, the program’s tactics are clearly sneaky, and show a disturbing trend of spammers’ willingness to deploy tactics long used by virus writers. David Perry, Symantec spokesperson said his company is regularly receiving reports from users who are complaining that their computer has been used to send unsolicited e-mail advertisements.

Another controversial self-promoting program, called Cytron, was advertised through a set of spam mails recently that also purported to offer an electronic greeting card. Net users who try to view that e-card are secretly induced to install a program called “Cytron,” which later pushes pop-up pornography ads at the user. Antivirus firms have had similar debates deciding whether or not to prevent Cytron from running.

In other cases, spammers have just faked return addresses, a technique known as spoofing. But it can be an alarming experience for an Internet user to receive a complaint from a stranger who has received pornography spam from their e-mail address.

“It’s very distressing,” Perry said. “Reputation loss is becoming a bigger issue than data loss. If I lose my document, I can restore it. But if something goes off my machine and people think I am advertising porn, then my reputation is getting damaged, and my reputation is far more valuable.”

© 2013 msnbc.com Reprints

Discuss:

Discussion comments

,

Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments