Summary

In the middle of February 2003 we started to receive reports from people who got suspicious e-mail messages.

Disinfection

ZeroPopup software can be uninstalled using Add/Remove Programs feature of Windows. To remove the software, go to Control Panel, select Add/Remove Programs and uninstall 'ZeroPopUpBar' software.

Additional Details

These messages looked like that:

 Subject:
 Hi, i thought you'd be interested in this !

 Body:
 Hi, Don't you hate those annoying Popup Windows when you're surfing the Web?

 Well i just installed this free ZeroPOP toolbar on my browser, 
It will Kill ALL Annoying Popup Windows.
 I use it myself and thought you should too.

 Best of all i'ts FREE ! :)

 Download it from here http://www.zeropopup.com (its a 10 seconds 
download with a 56k modem)

If a recipient of the above mentioned message clicked on the provided link, he was taken to the ZeroPopup website. The site was advertising a ZeroPopUp ToolBar addon for Internet browsers that was supposed to kill annoying popups and to provide search capabilities for those who were willing to install it.

If a recipient was using Internet Explorer, then after accessing the ZeroPopup website his browser automatically downloaded and installed a CAB (archive) file named ZP.CAB. But as such automatic action is not secure, Internet Explorer was showing a security warning. To bypass a security warning the makers of the ZeroPopup addon asked users to ignore the warning and to click 'Yes' thus authorising the installation of the ZeroPopup software.

The licence agreement provided by the ZeroPopup informed people who were installing the software that it would change the default startup and search pages of Internet browser to specific portal and search engine (belonging to the maker of ZeroPopup) and also that the software would send a short message to all contacts of a person who installs it. It means that the software would access user's Address Book and send an unsolicited message to all his contacts. This is the technique that many Internet worms use to spread over Internet. But in this case, instead of a file, the software only sends a link that advertises the ZeroPopup software.

At the ZeroPopup website there was also provided an EXE file with the same software. That was done for visitors who do not use Internet Explorer and are not affected by automatic downloading feature of that browser.

At startup, the EXE file was showing a licence agreement, but the terms about changing the settings of Internet browser and sending unsolicited e-mails to all user's contacts were not initially seen. A user has to scroll down to see these terms.

As quite a few users read licence agreements, they were not suspecting that the newly-installed software would spam their friends and colleagues from their own computers. As a result there appeared a number of worried and angered customers who demanded detection of the software that uses evasive and virus-like techniques to spead around.

DETECTION

F-Secure Anti-Virus detects TellFriend aggressive marketing software with the updates published on February 20th, 2003:

[FSAV_Database_Version]

Version=2003-02-20_01

[Description created on 18th of February, 2003, F-Secure Corp.]