Update (October 18, 2001):
In a shocking display of corporate greed, IBM has begun advertising using the Ezula Yellow Link Virus. Targeted keywords are "personal computer" and have been showing up on virtually any site with those words. As we've pointed out in other parts of this ongoing scandal, this can only be called whorehouse advertising. IBM should be deeply ashamed and shunned at all turns. We strongly suggest breaking any relationship you have with IBM and explaining why. The deep level of unethical behavior demonstrated by IBM in using the Ezula Yellow Link Virus can only suggest that they will do anything for money. Not a good thing from a company you may need to trust.
In related revelations, Sears is also using the Ezula Yellow Link Virus. The targeted keyword "appliance" is the only known example at this time. This news regarding Sears' involvment is deeply disturbing as Sears has been frequently involved in questionable business and advertising practices since the early 70's. Apparently "the softer side" involves illegal advertising - who'd have thunk it!
Update (October 1, 2001):
In response to the grass roots revolt led by webmasters around the world, this month begins a new 'Net tradition, Blackout Days. Closely allied to the basic concepts of Grey Day, the overlapping celebration highlights the importance of ethical advertising.
Update (September 20, 2001):
Though not a resounding success by any means, most advertisers have begun leaving Ezula, Surf+ and Gator. As soon as possible, we will run a list of the remaining unethical advertisers here. The list is very fluid, but certain advertisers actually appear to be loyal to these improper means of advertising and are highly resistant to reforming their errant ways. They should be shunned at all times, as their actions bespeak that they will do anything to make money, even something illegal.
Update (September 4, 2001):
As one of many companies allied with Gator, Commission Junction has taken a very odd tack on how to handle complaints. Commission Junction is the heir to the ClickTrade advertising and affiliate commission syndicate. Commission Junction actively supports Gator (with it's attendant Gator Ad Virus nightmare). If an affiliate of Commission Junction points out that CJ is supporting and promoting Gator, CJ merely cancels the affiliates account (no warning, no explanation, and E.Mail's are ignored). Gotta hand it to Commission Junction. As with CNet (Download.COM) and ZDNet, CJ is another very obvious "acts just like a whore" business in the ethics department. Anything for a dollar.
In a similar vein, brick-and-mortar retail giant Office Depot is using the Gator Ad Virus to overwrite the lawful, proper and paid advertisements on many sites. Complaints to Office Depot elicit a very weak (and not particularly truthful) response about how people choose to install the virus and how it's all explained in the fine print when you install Gator. Since Gator piggybacks on many usefull programs, it's very doubtful that everyone chooses to install it, and since it's part of another program in so many cases, Newbies can easily be tricked into installing Gator by thinking that the main program needs it and won't function correctly without it. It is expected that there are other retail giants out there guilty of the same thinking.
Update (August 29, 2001):
In a surprise "first strike" manuever, scummeisters Gater.COM have decided to sue the honorable Internet Advertising Bureau. Gator is claiming that because IAB has labeled Gator's Ad Virus software as probably illegal and unethical, they have the right to sue for damages. It is expected by all experts conversent with this dynamic and ever changing story that Gator will loose and that this loss may form the basis of a legal decision cementing the concept that the various link virii (Ezula/Kazaa, Surf+, Gator) are illegal as both copyright violations and digital intellectual property right violations.
Update (August 28, 2001):
The debate rages on, with many webmasters and webpublicists calling for a special BlackOut Day for October 1, 2001. The purpose of BlackOut Day is to make surfers realize that the many programs and advertisers (mentioned below) are doing is actually stealing from websites. This is in addition to the flagrant copyright violations these programs create. Pacoima Ranch will stay online for BlackOut Day, but will use special graphics (pure black with white text explaining what BlackOut Day is) on many of our high traffic portal entry pages. A List Of Shame with E.Mail addresses to complain to will also be available. Many popular sites say they will honor BlackOut Day by temporarily removing their sites and posting a warning about these programs and how they are damaging sites, the 'Net and surfers.
NBCi.COM (formerly Xoom.COM) has already killed it's QuickClicks software and is scrambling to remove all links and any trace of the program on its site. We salute them for their quick thinking and courage.
The hardest part of this traffic and advertising piracy is that it's perfectly transparent to most surfers. They notice a few oddly colored links (some of which lead to porno) and maybe spot that a few adbanners seem out of place or advertise a site in direct competition with the one they are at. What they don't realize is that the longterm effect if these programs are not immediately stopped is that virtually all free content everywhere on the 'Net will shortly disappear. Webmasters can't count a hit they never get, and hits determine banner rates. Most sites of any size with good content count on adbanner revenue to stay online.
As regards whether or not these programs are true virus, it is this News Letter's opinion that they are. They contain stealth modules that do not uninstall and which allow the program perpetrators to send out a JavaScript command that causes the stealth modules to reinstall the entire program. This sounds similar enough to several recent virus for us to say these programs are virus.
An unfortunate consequence of this problem revolves around how different freeware download sites are reacting. ZDNet.COM had correctly tagged one such software (Kazaa) as installing a piggyback program (TopText) that altered webpages. CNet.COM (DownLoad.COM) had not, and did not do so until faced with massive pressure from 100,000's of webmasters. They then put in a warning similar to the one from ZDNet. Basically, both of these freeware download sites are behaving like whores. Shunning them except in an emergency is suggested, since they've clearly revealed they won't warn you about damaging software until they are forced to do so. All they're concerned with is how many adbanner impressions they get of off a popular download. Spending an afternoon or evening with them and downloading cool free stuff is just asking to get something as ugly (or worse) as the Ezula Yellow Link Virus, the Surf+ Green Link Virus and the Gator Ad Virus.
Original story (August 25, 2001):
 |
Ezula Yellow Link Virus
Surf+ Green Link Virus
Gator Ad Virus |
You may have noticed recently that you now see "extra links" underlined in yellow or highlighted in green or that when you click a link you get offered choices, "continue with original link", "follow this link" rather than your normal link presentation. Maybe even the undertext to an adbanner doesn't match the adbanner in the slightest or you see random links appearing if you mouse over parts of a page. No pages at Pacoima Ranch use any linking or highlighting method like this. We favor grey, red, green, pink, brown and purple text links with no underlining and text popups that describe the link. We never use background color shifting nor multilinking DHTML. Our undertext matches and enhances the adbanner.
If you do see yellow links or are offered multiple choices when you attempt to click a link you have the Ezula Yellow Link Virus. If you see green highlighted links or random links when doing a mouseover you have the Surf+ Green Link Virus. If you suspect the graphics on a page are altered by your browser (especially the advertisements), you have the Gator Ad Virus. These virii were most likely installed as part of the popular file sharing programs Kazaa or iMesh and the popular password utility Gator, though with Surf+ you most likely installed it as a standalone program. They were also at one time offered by accident with Internet Explorer 5, 5.5 and 6; Netscape 4; and Opera 4. You may remove these virii via Control Panel (look for HotText, TopText, DeskTop Dollars, ContextPro, iMesh, Surf+, Spedia, and Gator) AND by using the AdAware Spyware Tool. Using just Remove Program in Control Panel will leave your machine infected with seven (or more) malicious H_KEY's (registry entries), four (or more) malicious ActiveX controls (which allows the virus perpetrators to manipulate files on your harddrive and to reinstall and upgrade the virus) and sixteen (or more) malicious executables and libraries (which may be used when you are online to reinstall and upgrade these virii). You may need to manually delete the contents of your Temp directory and the cache in Temporary Internet Files and search for these files:
ezulaINS.exe (eZula)
ezulAIN.exe (eZula)
stub.exe (eZula)
spactive.dll (Surf+)
surfplus.dll (Surf+)
surfplus.exe (Surf+)
SilentSetup1005.ex_ (Gator)
SilentSetup1005.exe (Gator)
Look in your basic Windows, Temp, System and Programs directories for the above files. If you use CuteFTP, be sure that you leave the file stub.exe in the CuteFTP directory alone, it's just a coincidence of name. Surf+ infections may also need to have this H_KEY removed:
HKEY_LOCAL_MACHINE/Software/Microsoft/
Windows/CurrentVersion/Run/Surfplus
If you don't feel comfortable editing your registry, it's not a problem. The H_KEY refers to the two libraries Surf+ leaves behind when you remove it. As long as you manually remove them (see above), there is nothing on your system to allow Surf+ to be reinstalled.
Surf+ and Gator infected users may also need to remove an H_KEY for Spedia and should examine their Temp directory in Windows for leftover installers waiting to reinstall Surf+ and Gator. It is unknown if the Spedia H_KEY will allow the Surf+ Green Highlight Virus and the Gator Ad Virus to be installed via remote control.
These files and H_KEY's appear to be there to ensure that Ezula Yellow Link Virus, Surf+ Green Link Virus and Gator Ad Virus can be reinstalled without your permission. The stub.exe file is particularly malicious, it can be started into action with a single line of JS and will completely reinstall the virus in the background.
Be sure to do a full cold boot (complete shutdown, not a Restart My Computer) after removing all traces of the virii. We purposefully infected one of our computers and found that four ActiveX controls were hiding in memory waiting for a chance to reinstall the virii. Removing all traces of the virii and doing a full cold boot will remove the controls from memory. It will also erase any ghost processes held in memory by Interent Explorer.
Ezula Yellow Link Virus interferes with your ability to shop online (destroys https: links) AND will damage the JavaScript engine in Internet Explorer (makes the JavaScript engine stop working properly). You may repair Interent Explorer after removing Ezula (complete procedure mentioned above) by going to Control Panel, Remove Program, then select Repair. Some infected machines have not been able to repair Internet Explorer. There is no work around for this.
Surf+ Green Link Virus makes Windows and Internet Explorer unstable. They will slowdown, crash and freeze very easily. Pages will load very slowly, with many false 404 (Cannot Locate That Server) errors being generated.
Gator Ad Virus will alter graphics. It replaces most adbanners and advertisements with Gator-controlled graphics--most are for Gator's private stable of advertisers. Gator is a major security risk. It not only tracks where you go and what pages you see, but it has all your passwords and usernames for anyone at Gator to see and use. It has been suggested that any company that would engage in this type of unfair business practice AND copyright violation should never be trusted with passwords and usernames.
As an additional caution, the online porno industry has discovered these virii, links to porno sites can appear on any page. Surf+ Green Link Virus is the worst for this tactic. In some cases the link didn't specify that it lead to an adult site and tricked the surfer into clicking it. Protect your machine, your privacy, your surfing and your children by removing these virii (as detailed above). Pacoima Ranch does NOT put any links to porno on any of our pages. If you see them, you have the Surf+ Green Link Virus.
The Ezula Yellow Link Virus and the Surf+ Green Link Virus at present only infect Internet Explorer and those browsers which use it as their core engine (NeoPlanet, KidSurf, Bonzi Fun Surfer and similar). Netscape and Opera have not been targeted and are most likely immune. WebTV'ers are immune to these virii. It is unknown if the Gator Ad Virus affects only Internet Explorer. The Gator Ad Virus is difficult to see, since mostly it affects adbanners and advertisements. Current estimates place infections at 6.5 million to 10 million PC's minimum.
This article is a security advisory to all Rangers and Rangerettes. It appears on many high traffic pages throughout Pacoima Ranch. There is no sure-fire method for detection via webpages (ie, every script I've tried to direct infected computers to a specific "you've got these virii" page has had sporadic failures under normal testing). If you've got the links, you've got the virii. We're very careful with who we allow to advertise on our site. These virii make it impossible for us (and you) to monitor what advertisers are on our pages and to what sites they send our children.
Pacoima Ranch takes no responsiblity for what an infected computer parses. We are deploying blocking scripts throughout all of our more than 1,000 pages, but this may not be fully finished before the end of next month. There is no blocking script for the Gator Ad Virus. Failure of these scripts may occur and is not the responsibility of Pacoima Ranch. As we keep repeating, if you see the links, you are infected and need to remove these virii. Failure to remove these virii means you accept how they illegally parse our pages and you agree to hold Pacoima Ranch blameless.
We will shortly be taking similar actions regarding ALL virii of the same type as the Ezula Yellow Link Virus, the Surf+ Green Link Virus and the Gator Ad Virus (QuickClicks, Alexa, FlySwat and similar). Your understanding is appreciated.
You have been warned...
|
|
