Spyware Sucks

Ok, as I promised “James of UK” I had another look at Messenger Plus! and the Sponsor Program tonight.  I have a nifty little programme called inctrl5 that takes a snapshot of my system pre and post installation, and then generates a comparison report listing exactly what was changed - registry keys added/removed, files added/removed/changed, ini files edited, making monitoring quite easy.

If it turns out that MSAS does not detect *all* lop.com sponsor files and registry entries etc, then I do will what is necessary to make sure that that is fixed, and make sure that every trace of Messenger Plus! AND the Sponsor Program can be successfully removed by MSAS.  If the program is going to do the job, it has to do a complete job.

Bear in mind, lop has been known in the past to use random file names making detection and removal difficult. Time will tell if that behaviour continues with the Messenger Plus! version of the programs.

First attempt with (Microsoft Antispyware) MSAS running threw up a big warning window about the Messenger Plus! 'threat'.  Well, that's what comes from the assocation with C2 Media.  Pressing the 'allow' button made no difference.  MSAS was determined.  Had to disable the software to be be able to install Messenger Plus! at all.

Disabled MSAS, but forgot to disable Trend Micro PC-cillin Internet Security, which quarantined part of lop.com (aka the sponsor program) during the install - specifically a file called “love 2.exe“ - detecting it as troj_swizzor.dq.

The text of the detection was “Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified..”

Ok, MP! and/or its Sponsor Program are seriously unpopular.

Despite the quarantining of one executable by Trend, the top toolbar was installed in IE, but the blue pass-through toolbar was seemingly damaged, not installing when I changed my home page back to my preferred setting.  Maybe the blue bar has been removed from this particular version of lop, maybe it hasn't.  Further testing will tell.

Something called 'locks third itch' (what the heck sort of name is that?) appeared in the program files directory, and 'mfcd aim.exe was added to registry startup.  Both disappeared when MP and the sponsor program were removed.

The Sponsor Program was cheeky enough to add 'lop.com', 'mysearch.now', 'www.lop.com' and 'www.mysearchnow.com' to XPSP2's pop-up blocker allow list, allowing the sponsor's advertisements to bypass XPSP2's anti-popup protections.  In the time it took me to change *that* a typical 'your pc may have a problem' snakeoil advertisement appeared.

My home page was changed.  And, more worrying, a shortcut labelled (may not be precise wording) 'my antivirus update' was added to my desktop.  Didn't have time to check *that* out, but I'm betting it wasn't pointing to my already installed antivirus product (being Trend).  I'll have a much closer look at THAT over the next few days.  As I have said before, the Sponsor Program is also what it advertises, where it leads people and what it encourages people to install.

A scan using MSAS detected Messenger Plus! *and* C2-lop (the sponsor program), with regards to lop it specifically detected setup.exe, and the *entire* lop program directory, recommending both for removal as a severe threat. 

Messenger Plus! now opens a browser window upon install directing users to Patchou's petition page (which is still languishing at just over 38,000 signatures after nearly a week - this despite Messenger Plus! having, apparently, 7 million users).  How many of these signatures are multiple signings by the one person, or fake names? We don't know.

Because Trend detected, and quarantined, the sponsor program, preventing a full install I didn't take things any further tonight. An important question for me is “does MSAS *only* Messenger Plus! and lop's set up.exe or does it detect more?  I say it detects more (assuming there are files in the lop program directory which is detected, and therefore deleted, in its entirety).  Of course, detection may be even more extensive once I run the install without my antivirus protection stepping in the way.  Will need to test further, with MSAS *and* antivirus protection disabled, then pitting Messenger Plus! and the sponsor program (aka lop.com, aka swizzor trojan) against MSAS, the new Trend Antispyware product and Vet Antivirus in various combinations.

Patchou is fighting a losing battle regarding his sponsor program - check out this list of detectors:

http://sarc.com/avcenter/venc/data/adware.lop.html (Symantec)
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024 (Computer Associates)
http://vil.mcafeesecurity.com/vil/content/v_120626.htm (McAfee)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SWIZZOR.AG (Trend Micro)
http://www.f-secure.com/v-descs/swizzor.shtml (F-Secure)
http://www.sophos.com/virusinfo/analyses/trojswizzorbq.html (Sophos)

BTW, Microsoft Antispyware Beta was rated number one in a recent consumerreports.org test - Trend Antispyware was rated number 7:
http://www.consumerreports.org/main/content/display.jsp?FOLDER%3C%3Efolder_id=760027&ASSORTMENT%3C%3East_id=333133&bmUID=1124890443240

What I think of the MSAS/Patchou kerfuffle, and the Petition itself:
http://msmvps.com/spywaresucks/archive/2005/08/18/63180.aspx

Update: 6 September:
http://msmvps.com/spywaresucks/archive/2005/09/06/65524.aspx