Anti-virus company Sophos has warned that its Australian technical support have been receiving reports from people who receive an e-mail inviting them to visit a Web site--run by Avenue Media NV, based on Curacao in the Caribbean--containing free comic video clips, including on of Bill Gates copping a pie in the face.
Users who visit the site and view a video clip begin sending the e-mail invitation to their friends. The site achieves this because the video clip is not downloaded directly, but instead an ActiveX control is launched which not only displays the video, but also downloads and additional software component named "Internet Optimizer" onto the computer, which sends the e-mails.
The operation is legal because Internet Optimizer presents an End User License Agreement (EULA), which includes provisions that allow Avenue Media to send e-mails and instant messages to the users contacts, automatically update or add software to the computer and even update the EULA itself by publishing a new version at a specified URL.
"What tricks a lot of people is that the ActiveX control which kicks the process off is digitally signed," said Paul Ducklin, Sophos's Sydney-based Head of Technology, Asia Pacific. "Many users assume that a program which has been signed in this way is automatically both trustworthy and desirable. Ironically, even though Internet Explorer presents a 'security warning', many people treat this as some kind of a 'security approval' and are more inclined to go ahead."
Apart from reading the fine print of any contract or agreement that you sign, Sophos advises users to avoid this and similar attacks by:
Updating your anti-virus software to one which detects and deletes components of the tool, including the ActiveX control (detected as App/CrmRest-A) and the "Internet Optimizer" application (App/Optimiz-A).
Tighten the security of their browser by setting "Download signed ActiveX controls" to "Disable" instead of the more common "Prompt", and ensuring that "Download unsigned ActiveX controls" is also set at "Disable".
Blocking access to the domains "movies-etc.com" and "internet-optimizer.com" if you're running a Web proxy.