Content

Friend Greeting application (II)

Type
Program
SubType
-
Discovery Date
11/08/2002
Minimum DAT
4234 (11/20/2002)
Updated DAT
4234 (11/20/2002)
Minimum Engine
5.1.00
Description Added
11/08/2002
Description Modified
11/21/2002 6:15 PM (PT)

Tab Navigation

Characteristics

-- Update 11/21/2002 --
AVERT has reclassified a component that gets installed by the Friend Greeting application as a trojan, resulting in trojan dropper detection of the Friend Greeting application installer. For more information read the Hide Minimized trojan description.

Due to the fact that this program requires users to download an installer, and agree to allow the program to email a link back to the website to all Microsoft Outlook contacts, this is not considered to be a virus. However, application detection is included in the 4233 DAT files when using the command-line scanner. See the removal instructions for more information, and for a way to prevent the mass-mailing from taking place, should users install this application.

This application works when visiting a specific webpage on the www.friend-greetings.com website. A link to this page arrives in an email message as described below. Once this page has loaded, users are prompted to download and run an installer package.

Selecting YES will download and run a WISE installer package.

The user is prompted to accept two End User License Agreements (EULA). If the first agreement is not accepted, the installer exits. Within the second EULA is the following statement:

1. Consent to E-Mail Your Contacts. As part of the installation process, Permissioned Media will access your MicroSoft Outlook(r) Contacts list and send an e-mail to persons on your Contacts list inviting them to download FriendGreetings or related products. By downloading, installing, accessing or using the FriendGreetings, you authorize Permissioned Media to access your MicroSoft(r) Outlook(r) Contacts list and to send a personalized e-mail message to persons on your Contact list. IF YOU DO NOT WANT US TO ACCESS YOUR CONTACT LIST AND SEND AN E-MAIL MESSAGE TO PERSONS ON THAT LIST, DO NOT DOWNLOAD, INSTALL, ACCESS OR USE FRIENDGREETINGS.

If this agreement is not accepted, the program will get installed without the mass-mailing routing taking place. If the second agreement is accepted, the program emails all users in the Outlook Address book with the following message:

Subject: %Recipient% you have a greeting card from %Sender%.
Body:

%Recipient%,

%sender% has sent you an greeting card -- a postcard from Friend-Greetings.com. You can pickup your greeting card at Friend-Greetings.com by clicking on the link below.

http://www.friend-greeting.com/%number%/pickup.html?code=%name%&id=%number%

Message:
------------------------------------------------------------------------
%Recipient%,
I sent you a greeting card - please pick it up.
%Sender%
------------------------------------------------------------------------

Removal

Use the ADD/REMOVE Programs Control Panel in Windows to remove the Friend Greetings application, as well as the WinSrv Reg application. This will uninstall this program.

Should the installation log for the application get deleted, the ADD/REMOVE Programs option will fail. This can happen with most applications. Should this occur, users are faced with the daunting task of hunting through the Registry for references to the application in question, in this case "Friend Greeting", removing all entries found, restarting the system, and then deleting those files related to the program. Such actions should not be done by a novice user, as incorrectly removing registry entries and files can result in a loss of functionality.

Versions prior to Friend Greeting (IV)

    This application installer creates an executable named TAFW.EXE. This executable is responsible for the mass-mailing routine. Before mailing, it checks for the presence of a file name AS.INI in the \Program Files\Common Files (%ProgDir%\Common files) folder. If this file already exists the application does not mass-mail. If it does not exists the mailing commences, afterwards the TAFW.EXE file creates a 0 byte file name AS.INI. To prevent potential mass-mailing of this application, administrators and users may wish to create this INI file:
    \PROGRAM FILES\COMMON FILES\AS.INI.

When using the specified scan engine, the command line scanner with the /PROGRAM /CLEAN switches will detect and remove this application when using the specified DAT files. On access scanners will not detect this application, except for gateway scanners.

  1. Ensure that you are running the specified DATs and Engine
  2. Click the START button
  3. Click RUN
  4. Type COMMAND and hit ENTER
  5. Type: c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c: /program /clean and hit ENTER.
Administrators may choose to block the following sites associated with this application:
  • www.friendgreetings.com
  • www.friendgreetings.net
  • www.friend-greetings.com
  • www.friend-greetings.net
  • www.friend-greeting.com
  • www.friend-cards.net
  • www.friend-cards.com
  • www.friend-card.com
  • www.friend-card.net
  • www.cool-downloads.net
  • www.cool-downloads.com
  • www.laugh-mail.com
  • www.laugh-mail.net
  • 65.240.226.248
  • 64.191.7.4
  • www.hkg3.com
  • pv1.us-downloads.com
  • 207.21.232.104
  • net-downloads.com
  • 65.240.226.241
  • 64.191.7.5

Aliases

Aliases

  • WORM_FRIENDGRT.B (Trend)