Bokt.nl

Citaat:

Messenger Plus! Live 4.10 has been released - time to take another look at the installer and sponsor program

Now that a new version of Messenger Plus! Live has been released, it is appropriate to have another look at the Messenger Plus! Live installer and sponsor program.

I installed Messenger Plus! Live and the Sponsor Program on an XP system running IE7.

You can find screenshots of the installation routine here and other bits and pieces here:
http://www.ie-vista.com/graphics3.html

The Messenger Plus! Live Sponsor Program is still being used to spread WINFIXER malware - details below.

I also saw what seems to be a FAKE eBAY LOG-IN PAGE in a pop up window - details below.

No shortcuts were placed on my desktop, and no favorites were added. My home page was not changed, and there was no toolbar.

My default search settings were not changed.

The Sponsor Program is still the malware commonly known as LOP aka Swizzor Trojan.

http://sarc.com/avcenter/venc/data/adware.lop.html (Symantec)
http://www3.ca.com/securityadvisor/pest ... =453076024 (Computer Associates)
http://vil.mcafeesecurity.com/vil/content/v_120626.htm (McAfee)
http://www.trendmicro.com/vinfo/virusen ... SWIZZOR.AG (Trend Micro)
http://www.f-secure.com/v-descs/swizzor.shtml (F-Secure)
http://www.sophos.com/virusinfo/analyse ... zorbq.html

According to the EULA (relevant sections boxed in red):

1. You must be at least 18 years of age.

2. The Sponsor will add itself to the IE pop-up blocker exclusion list:
http://www.ie-vista.com/images/410_7.png

3. You are not allowed (and you will not allow anybody else) to use third party uninstallers or antispyware applications to remove the Sponsor Program.

4. The Sponsor Program will edit your HOSTS file to remove any blocking of its domains. It may bypass router or firewall alerts when accessing the internet.

5. The Sponsor may be updated, replaced or modified at any time "automatically or by other means".

6. Your IP address will be collected, and a unique software identifier assigned to you. Operating system, CPU speed, browser type and version, screen resolution, time zone selected and version numbers of "some of the software installed on your computer" is also collected.

7. A historical record of content and advertisements delivered by the software, and "the response rate associated with the content and advertisements that was delivered to you" is collected.

8. The Sponsor will not transmit URLs you visit but the Program will generate advertisements based on "keywords in the Web sites you visit".

MP!L has no age restrictions, and the MP!L EULA makes no mention of age restrictions applying to the Sponsor Program, but at the same time the Sponsor Program requires that users be at least 18 years of age. The Messenger Plus! Live installer does not clearly state that its users must be at least 18 before they may install the Sponsor Program. Patchou actively encourages users to install the Sponsor, irrespective of their age.

Yes, I know that the Sponsor Program EULA states that you must be over 18 to install the Sponsor, but that part of the Sponsor Program EULA cannot be seen unless you scroll down and users have no reason to suspect that there is a conflict in age requirements between the two programs.

Subtle emotional/psychological pressure is placed on anybody who installs MP!L to also install the Sponsor via the statement "I refuse to give my support" that is part of an MP!L install dialogue window.

The Messenger Plus! Live Sponsor Program is still spreading malware and content inappropriate to minors.

Within hours of installing Messenger Plus! Live 4.10 I saw this:


Once again, false security claims are being made about user's computers

When you close the tab or Internet Explorer you see this:


I have caught the Messenger Plus! Sponsor being used to install Winfixer on victim's machines several times before - two examples being:

April 2006
http://msmvps.com/blogs/spywaresucks/ar ... 89692.aspx

30 June 2006
http://msmvps.com/blogs/spywaresucks/ar ... 03407.aspx

There are more examples, but my blog's Search feature is broken at the moment thanks to an update and I'm finding it a little hard to gather the links. It may be a while before its working again.