McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• zeropopup

Characteristics

This trojan uses "viral" marketing techniques to send an email message to all contacts found in the Windows Address Book and Eudora Address Book. This action is considered to be that of a trojan as the user does not have sufficient opportunity to agree to the End User License Agreement (EULA) displayed on the web page associated with this trojan installer.

A link to the web page containing an installer for this trojan may arrive in an email message as follows:

Subject: Hi, i think you need this
Body:

Do you hate POPUPS ?? well i just installed this free Zero POPUP toolbar on my browser, it kills ALL popup ads and best of all it's FREE !
Download it from here http://www.zeropopup.com (its a 10 seconds download with a 56k modem)

I hope you'll like it alot, it also has good rating on CNET download.com

Bye :)

When a user clicks the hyperlink specified in the email message, they are taken to a web page that contains an ActiveX control. This control is loaded at startup, resulting in an immediate prompt:
NOTE: This control is signed with an invalid signature:

If the YES button is pressed, the installer is run. The following files are extracted to disk.

• tellafriend.exe (trojan file)
• zeropopup.inf (installer setup file)
• zeropopupbar.dll (potentially unwanted application designed to prevent popup windows during browsing)

The tellafriend.exe file sends email messages to all addresses found in the Windows Address Book (WAB) and Eudora Address Book (nndbase.txt), using the default SMTP server as specified in the Internet Account Manager or OMI Account Manager.

The zeropopupbar.dll file is an Internet Explorer Browser Helper Object designed to block popup ads from being displayed while web browsing. The EULA describes its other actions, which include changing the default start page, and search page of Internet Explorer.

Symptoms

Desktop firewall application alerting that the program tellafriend is trying to access the Internet.

Method of Infection

This trojan is installed via an ActiveX control when visiting a web site and clicking "YES" when prompted. A EULA does exist on this page (see copy below as it appeared at the time of this writing), but the user is not explicitly required to agree to it prior to installation:

END-USER LICENSE AGREEMENT FOR ZeroPopUp Companion ToolBar.

IMPORTANT READ CAREFULLY: This ZeroPopUp Software End-User License Agreement is a legal agreement between you (either an individual or a single entity) and ZeroPopUp.COM software product identified above, which may include associated software components, media, printed materials, and "online" or electronic documentation (SOFTWARE PRODUCT or SOFTWARE). By installing, copying, or otherwise using the SOFTWARE PRODUCT, you agree to be bound by the terms of this End-User License Agreement. If you do not agree to the terms of this Agreement, do not install or use the SOFTWARE PRODUCT. The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The SOFTWARE PRODUCT is distributed for FREE. Multiple LICENSE. This is A multiple License which permits you to use any number of copies of the ZeroPopUp software on any computer you have. RESTRICTIONS: --You must maintain all copyright notices on all copies of the SOFTWARE PRODUCT. --You MAY distribute copies of the SOFTWARE PRODUCT to third parties. -- Each time you run the SOFTWARE PRODUCT you agree to have your IE search page set to our search engine, for the purpose of performing a web search. you may undo that anytime by uninstalling SOFTWARE PRODUCT and then restoring manualy your search page. --You also agree to have your Home Page changed to our search portal. --You agree SOFTWARE PRODUCT will email all your friends and contacts a short message with a link so they too can install SOFTWARE PRODUCT for FREE. --You may not reverse engineer, decompile, or disassemble the SOFTWARE PRODUCT, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. ZeroPopUp.COM SOFTWARE DISCLAIMS ALL WARRANTIES RELATING TO THIS SOFTWARE, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ALL SUCH WARRANTIES ARE EXPRESSLY AND SPECIFICALLY DISCLAIMED. NEITHER zeropopup.com NOR ANYONE ELSE WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION, OR DELIVERY OF THIS SOFTWARE SHALL BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF zeropopup.com HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR CLAIMS. IN NO EVENT SHALL zeropopup.com SOFTWARE'S LIABILITY FOR ANY DAMAGES EVER EXCEED THE PRICE PAID FOR THE LICENSE TO USE THE SOFTWARE, REGARDLESS OF THE FORM OF CLAIM. THE PERSON USING THE SOFTWARE BEARS ALL RISKS AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• zeropopup

Characteristics

Characteristics -

This trojan uses "viral" marketing techniques to send an email message to all contacts found in the Windows Address Book and Eudora Address Book. This action is considered to be that of a trojan as the user does not have sufficient opportunity to agree to the End User License Agreement (EULA) displayed on the web page associated with this trojan installer.

A link to the web page containing an installer for this trojan may arrive in an email message as follows:

Subject: Hi, i think you need this
Body:

Do you hate POPUPS ?? well i just installed this free Zero POPUP toolbar on my browser, it kills ALL popup ads and best of all it's FREE !
Download it from here http://www.zeropopup.com (its a 10 seconds download with a 56k modem)

I hope you'll like it alot, it also has good rating on CNET download.com

Bye :)

When a user clicks the hyperlink specified in the email message, they are taken to a web page that contains an ActiveX control. This control is loaded at startup, resulting in an immediate prompt:
NOTE: This control is signed with an invalid signature:

If the YES button is pressed, the installer is run. The following files are extracted to disk.

• tellafriend.exe (trojan file)
• zeropopup.inf (installer setup file)
• zeropopupbar.dll (potentially unwanted application designed to prevent popup windows during browsing)

The tellafriend.exe file sends email messages to all addresses found in the Windows Address Book (WAB) and Eudora Address Book (nndbase.txt), using the default SMTP server as specified in the Internet Account Manager or OMI Account Manager.

The zeropopupbar.dll file is an Internet Explorer Browser Helper Object designed to block popup ads from being displayed while web browsing. The EULA describes its other actions, which include changing the default start page, and search page of Internet Explorer.

Symptoms

Symptoms -

Desktop firewall application alerting that the program tellafriend is trying to access the Internet.

Method of Infection

Method of Infection -

This trojan is installed via an ActiveX control when visiting a web site and clicking "YES" when prompted. A EULA does exist on this page (see copy below as it appeared at the time of this writing), but the user is not explicitly required to agree to it prior to installation:

END-USER LICENSE AGREEMENT FOR ZeroPopUp Companion ToolBar.

IMPORTANT READ CAREFULLY: This ZeroPopUp Software End-User License Agreement is a legal agreement between you (either an individual or a single entity) and ZeroPopUp.COM software product identified above, which may include associated software components, media, printed materials, and "online" or electronic documentation (SOFTWARE PRODUCT or SOFTWARE). By installing, copying, or otherwise using the SOFTWARE PRODUCT, you agree to be bound by the terms of this End-User License Agreement. If you do not agree to the terms of this Agreement, do not install or use the SOFTWARE PRODUCT. The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The SOFTWARE PRODUCT is distributed for FREE. Multiple LICENSE. This is A multiple License which permits you to use any number of copies of the ZeroPopUp software on any computer you have. RESTRICTIONS: --You must maintain all copyright notices on all copies of the SOFTWARE PRODUCT. --You MAY distribute copies of the SOFTWARE PRODUCT to third parties. -- Each time you run the SOFTWARE PRODUCT you agree to have your IE search page set to our search engine, for the purpose of performing a web search. you may undo that anytime by uninstalling SOFTWARE PRODUCT and then restoring manualy your search page. --You also agree to have your Home Page changed to our search portal. --You agree SOFTWARE PRODUCT will email all your friends and contacts a short message with a link so they too can install SOFTWARE PRODUCT for FREE. --You may not reverse engineer, decompile, or disassemble the SOFTWARE PRODUCT, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. ZeroPopUp.COM SOFTWARE DISCLAIMS ALL WARRANTIES RELATING TO THIS SOFTWARE, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ALL SUCH WARRANTIES ARE EXPRESSLY AND SPECIFICALLY DISCLAIMED. NEITHER zeropopup.com NOR ANYONE ELSE WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION, OR DELIVERY OF THIS SOFTWARE SHALL BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF zeropopup.com HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR CLAIMS. IN NO EVENT SHALL zeropopup.com SOFTWARE'S LIABILITY FOR ANY DAMAGES EVER EXCEED THE PRICE PAID FOR THE LICENSE TO USE THE SOFTWARE, REGARDLESS OF THE FORM OF CLAIM. THE PERSON USING THE SOFTWARE BEARS ALL RISKS AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A