X
Tech

MVP awards, Messenger Plus! and adware -- a good combination?

A controversy has been raging in certain circles the last few days over a MVP award, which has now been rescinded, to an adware pusher known as Patchou, Cyril Paciullo, the author of Messenger Plus!. There's a lot of nonsense going around and I'd like to clear some of that up.
Written by Suzi Turner, Contributor

A controversy has been raging in certain circles the last few days over a MVP award, which has now been rescinded, to an adware pusher known as Patchou, Cyril Paciullo, the author of Messenger Plus!, now known as Messenger Plus! Live. Ed Bott blogged about it here. Patchou's devotees have been staunchly defending him and his app and are blaming a few MVPs for causing Microsoft to rescind the award.  There's a lot of nonsense going around and I'd like to clear some of that up. 

Why did the security MVPs, including myself, object to Patchou's award?  Simple answer -- his app bundles adware and a rather nasty adware at that, best known as Lop even though Patchou and Messenger Plus! refer to it as the "sponsor". So what's wrong that?  The devotees say the adware is optional, which is true, but there's some guilt thrown at a user who opts out of the "sponsor".  The dialog says "I refuse to give my support, don't install the sponsor".  "Gee -- I must be bad if I don't install the sponsor." See SunbeltBLOG for screenshots.  Also Messenger Plus! is widely known to be primarily targeted at kids under 18, who cannot enter into a legal contract and likely would not understand the EULA, if they bothered to read it. 

So what is this "sponsor" software?  I downloaded and installed MessengerPlus! Live, including the "sponsor" to see for myself. Lop is primarily advertising software that spawns pop-ups on the desktop. Lop used to include a toolbar and change the user's homepage, but that behavior has been eliminated. The "sponsor" installer adds a fake bho (browser helper object) in the registry and creates a hidden job that starts IE in the background and launches another executable. I observed Lop to keep two instances of Internet Explorer running constantly, even when I didn't have a browser open. Each time I opened IE one or two pop-ups immediately appeared.  These pop-ups are not branded, unlike WhenU and Zango even. When I tried to terminate the two instances of IE, one or two other files would kick into action and restart IE, files with names like JugsRoam.exe and heart bend send dash.exe. You can see a list of file names used by Lop here. Lop frequently changes file and folder names in an attempt to evade detection by anti-malware programs. The EULA even contains a clause prohibiting its removal by other applications. The Lop processes continuously contact these domains, ayb.dns-look-up.com and ads.dns-look-up.com, which reside on an IP address owned by C2 Media, the makers of Lop.

It's no wonder that many of the anti-malware vendors call the "sponsor software" a trojan, Trojan Swizzor

SunbeltBLOG has some additional gripes about the "sponsor".

Ok, to those who support Patchou?  Fundamental problem:  LOP stinks.  And imagine someone installing MessengerPlus and getting that little cute icon to "upgrade your antivirus program" and getting an outright fraudulent scam.  Imagine that person being a relative of yours who doesn't quite know much about computers, and getting scammed.  Or getting popups they don't know the source of (because LOP does not disclose that the popup was generated by LOP, unlike even WhenU or Zango).  

Note the link to the desktop icons placed by the "sponsor".  One additional thing -- I mentioned earlier that a large percentage of Messenger Plus! users are under 18. The "sponsor" displays pop-ups that are entirely inappropriate to tweens and young teenagers, ads for AdultFriendFinder and the like. 

One of the best sources of technical information and history for Messenger Plus! and the sponsor software, short of installing it yourself, is from another Microsoft MVP, Sandi Hardmeier, who has chronicled Messenger Plus! and its changes for several years now. 

Personally, I think Microsoft made a mistake in awarding Patchou and did the right thing by rescinding the MVP award.  If Messenger Plus! wasn't bundled with adware, I would feel differently. I understand that Patchou has to earn a living and I hear that he is technically astute and an excellent programmer, but in my opinion, an adware distributor should not be given the MVP award, especially when the adware in question has such disturbing, trojan-like behaviors. 

Editorial standards