Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Sophos asks: Marketing Stunt or Computer Virus

  • 15 July, 2003 15:13

<p>Sophos technical support in Australia have received a number of reports from users who have received emails inviting them to visit a website containing free comic video clips – including, for example, the well-known sequence of Bill Gates suffering "entartement" (a pie in the face) whilst on a visit to Europe. The website is run by Avenue Media NV, who are based on the Caribbean island of Curacao.</p>
<p>The problem is that after viewing the comedy clip of your choice, you start to send similar invitations to your email contacts. But no virus is involved, so how can this happen?</p>
<p>The answer is that the video clip is not downloaded directly. Instead, clicking on the link launches an ActiveX control which not only displays the video, but also downloads an additional software component named "Internet Optimizer" onto your PC.</p>
<p>"What tricks a lot of people," says Paul Ducklin, Sophos's Sydney-based Head of Technology, Asia Pacific, "is that the ActiveX control which kicks the process off is digitally signed. Many users assume that a program which has been signed in this way is automatically both trustworthy and desirable. Ironically, even though Internet Explorer presents a 'security warning', many people treat this as some kind of a 'security approval' and are more inclined to go ahead."</p>
<p>Once you have agreed to let the ActiveX control run, the "Internet Optimizer" program takes over, asking you to agree to an End User Licence Agreement (EULA). This EULA grants Avenue Media numerous rights, including sending email and instant messages to your contacts, automatically updating or adding to the software on your PC, and even updating the EULA itself by publishing a new version at a specified URL.</p>
<p>"Unfortunately, you need to read the small print," says Ducklin. "Otherwise you may end up suffering the side-effects of a virus attack, such as email overload and the installation of unexpected software, even though you aren't actually infected with a virus."</p>
<p>Sophos advises the following for system administrators looking to keep this particular viral marketing tool out:</p>
<p>1. Update your anti-virus software. Sophos Anti-Virus can block the components of this tool, including the ActiveX control (detected as App/CrmRest-A) and the "Internet Optimizer" application (App/Optimiz-A).</p>
<p>2. Consider tightening your browser security. Try setting "Download signed ActiveX controls" to "Disable" instead of the more common "Prompt". Ensure that "Download unsigned ActiveX controls" is at "Disable", too.</p>
<p>3. If you have a web proxy, consider blocking access to the domains "movies-etc.com" and "internet-optimizer.com" to prevent the components of this tool from being retrieved.</p>
<p>Further information is available at:
http://www.sophos.com.au/virusinfo/analyses/appviewmova.html</p>
<p>FOR FURTHER INFORMATION:
Paul Ducklin (duck@sophos.com) is available for comment:
+61 407 320 515 (mobile)
+61 2 9409 9100 (tel)
+61 2 9409 9191 (fax)</p>
<p>Sophos's press contact at Gotley Nix Evans is:
Michael Henderson (sophos@gne.com.au)
+61 2 9957 5555 (tel)
+61 413 054 738 (mobile)
+61 2 9957 5575 (fax)</p>

Most Popular