Sneakwrapping a virus

READERS HAVE OFTEN joked that we'll really be in trouble when the viruses start coming with sneakwrap license agreements. But now that it has happened, it turns out the real joke is how many people seem to think that the existence of the license means it's not a virus.

Starting on Oct. 24, 2002, thousands of people received an e-mail in which a friend or business associate asked them to pick up an "e-card" left for them at a site called FriendGreetings.com. Those who followed their acquaintances' supposed instructions discovered they would need to download a program to view the e-card, and they were presented with standard digital certificate authentication and installation software to do so. Adding credibility to the process was the fact that they then had to click OK on two EULAs (End-User License Agreements) in order to download the viewer software.

We don't know how many people took the time to read both EULAs, but we can be pretty certain that none who proceeded to click their approval had read the second one. If they had, they would have seen the bald statement that the supposedly Panamanian company that owned FriendGreetings.com would be accessing the licensee's Outlook contact list and sending everyone on that list a similar invitation to download FriendGreetings.

And that's exactly what the software did when installed, with serious results at some hard-hit companies. Along with spamming many of their co-workers, those credulous enough to download the FriendGreetings software often had problems with Outlook errors and changes made to some of their Windows settings. The install also apparently deposited several spyware/adware agents that needed to be sought out and eradicated before they caused trouble. "We'll be cleaning up the mess at least through the weekend," one IT manager said. "The worst part though is having to explain it to the clients and vendors our people sent this thing out to."

Dealing with it was made all the more difficult by the seeming reluctance of the anti-virus software vendors to treat the FriendGreetings outbreak as they would any other virus. "Unbelievable -- Network Associates is saying they can't respond because of 'legal' issues," wrote one reader shortly after the attack began. "They say it's not a virus because one of our users granted permission for it to occur by accepting the EULA."

To its credit, however, Network Associates shortly changed its mind. Although still not officially classifying it as a virus due to the EULA, Network Associates posted details about the files FriendGreetings downloaded on victims' computers and said detection capabilities would be included in its next anti-virus update file.