TellFriend

Classification

Category :

Malware

Type :

-

Aliases :

TellFriend, W32/Aggressive_Marketing.TellFriend, Zeropopup, Zero Popup, TellYourFriends, TellAFriend, Flooder.MailSpam.Zeropopup

Summary

In the middle of February 2003 we started to receive reports from people who got suspicious email messages.

Removal

ZeroPopup software can be uninstalled using Add/Remove Programs feature of Windows. To remove the software, go to Control Panel, select Add/Remove Programs and uninstall 'ZeroPopUpBar' software.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

These messages looked like that:

Subject:
Hi, i thought you'd be interested in this !
Body:
Hi, Don't you hate those annoying Popup Windows when you're surfing the Web?
Well i just installed this free ZeroPOP toolbar on my browser,
It will Kill ALL Annoying Popup Windows.
I use it myself and thought you should too.
Best of all i'ts FREE ! :)
Download it from here http://www.zeropopup.com (its a 10 seconds
download with a 56k modem)

If a recipient of the above mentioned message clicked on the provided link, he was taken to the ZeroPopup website. The site was advertising a ZeroPopUp ToolBar addon for Internet browsers that was supposed to kill annoying popups and to provide search capabilities for those who were willing to install it.

If a recipient was using Internet Explorer, then after accessing the ZeroPopup website his browser automatically downloaded and installed a CAB (archive) file named ZP.CAB. But as such automatic action is not secure, Internet Explorer was showing a security warning. To bypass a security warning the makers of the ZeroPopup addon asked users to ignore the warning and to click 'Yes' thus authorising the installation of the ZeroPopup software.

The licence agreement provided by the ZeroPopup informed people who were installing the software that it would change the default startup and search pages of Internet browser to specific portal and search engine (belonging to the maker of ZeroPopup) and also that the software would send a short message to all contacts of a person who installs it. It means that the software would access user's Address Book and send an unsolicited message to all his contacts. This is the technique that many Internet worms use to spread over Internet. But in this case, instead of a file, the software only sends a link that advertises the ZeroPopup software.

At the ZeroPopup website there was also provided an EXE file with the same software. That was done for visitors who do not use Internet Explorer and are not affected by automatic downloading feature of that browser.

At startup, the EXE file was showing a licence agreement, but the terms about changing the settings of Internet browser and sending unsolicited emails to all user's contacts were not initially seen. A user has to scroll down to see these terms.

As quite a few users read licence agreements, they were not suspecting that the newly-installed software would spam their friends and colleagues from their own computers. As a result there appeared a number of worried and angered customers who demanded detection of the software that uses evasive and virus-like techniques to spead around.