Users on our HowTo for Security mailing list recently disclosed a rather insidious End User License Agreement (EULA). The EULA pertains to a Web-based greeting card--the same kind that people send to each other for various reasons. But have you ever received a Web-based greeting card that has a EULA? And if so, have you ever actually read a greeting card EULA? <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

If you receive a greeting card from FriendGreetings.com (operated by Permissioned Media) and read and accept the associated EULA, then you know that you're giving FriendGreetings.com permission to copy your entire contact list for its own use. According to, David Precht, who posted the warning to the mailing list this week, the EULA reads as follows:

"FRIENDGREETINGS LICENSE AGREEMENT

This License Agreement (the "Agreement") is a legal agreement between you and The Permissioned Media, Inc. By downloading, installing, accessing or using the FriendGreetings Software or any products or software from Permissioned Media (hereafter collectively referred to as the "FriendGreetings"), you agree to the following terms and conditions \[sic\]. IF YOU DO NOT AGREE WITH SUCH TERMS AND CONDITIONS, DO NOT DOWNLOAD, INSTALL, ACCESS OR USE FRIENDGREETINGS.

1. Consent to E-Mail Your Contacts. As part of the installation process, Permissioned Media will access your Microsoft Outlook contacts list and send an e-mail to persons on your contacts list inviting them to download FriendGreetings or related products.  By downloading, installing, accessing, or using the FriendGreetings, you authorize Permissioned Media to access your MicroSoft(r) Outlook(r) Contacts list and to send a personalized e-mail message to persons on your Contact list.  IF YOU DO NOT WANT US TO ACCESS YOUR CONTACT LIST AND SEND AN E-MAIL MESSAGE TO PERSONS ON THAT LIST, DO NOT DOWNLOAD, INSTALL, ACCESS OR USE FRIENDGREETINGS." \[Emphasis added\]

Some folks might consider the EULA an underhanded tactic at best, and most people won't read the EULA for a simple Web-based greeting card. In any case, those kinds of EULA tactics undoubtedly lead to spam.

Another list reader, Jimi Thompson, sent us a copy of a greeting card message from FriendGreetings.com:

Greetings!

\[Somebody\] has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You can pickup your E-Card at the FriendGreetings.com by clicking on the link below.

http://www.friendgreetings.com/pickup/pickup.aspx?code=\[code number\]

Message:

------------------------------------------------------------
\[Somebody\],

I sent you a greeting card. Please pick it up.
\[Somebody else\]
------------------------------------------------------------

Thompson said, "As you can see, the message itself is really quite deceptive. It's not until you click on the link that the window pops and asks you to install software.  The end users here that clicked "OK" thought that they were installing a browser plug in in order to retrieve their card."

A user, Thor Larholm, said that the ActiveX control is delivered via the following HTML code for Internet Explorer:

<object CLASSID='clsid:A47693D1-7E2A-4DE3-9907-310C5D310B5F' CODEBASE='card/install.cab#Version=1,00,0000' BORDER=0 VSPACE=0 SPACE=0 ALIGN=TOP HEIGHT=0% WIDTH=0%></object>

The following code is used for Netscape:

<applet archive="install.jar" code="ISSetupApplet.class" height="0" width="0"></applet>

To remove Permissioned Media's software from your computers, use the Add/Remove Programs applet located in the Control Panel. If for some reason that doesn't work for you, or you want to double-check to ensure that it did work, then search for the following list of files and registry keys and make sure they are deleted from your system. The list comes from an install.log file and was posted to the SecurityFocus Virus mailing list by a user identified only by their email address (kelekelr@hotmail.com): 

  Title: WinSrv Reg Installation
  Source: C:\WINNT\Installer\MSI3A4.tmp
  Dir: C:\Program Files\Common Files\Media
  File Copy: C:\Program Files\Common Files\Media\Uninstal.EXE 
  RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\WinSrv Reg
  RegDB Val: WinSrv Reg
  RegDB Name: DisplayName
  RegDB Root: 2
  RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\WinSrv Reg
  RegDB Val: "C:\Program Files\Common Files\Media\UNINSTAL.EXE" "C:\Program  Files\Common Files\Media\INSTALL.LOG" "WinSrv Reg Uninstall"
  RegDB Name: UninstallString
  RegDB Root: 2
  File Copy: C:\Program Files\Common Files\Media\OTDock.dll
  File Copy: C:\Program Files\Common Files\Media\OTGlove.dll
  File Copy: C:\Program Files\Common Files\Media\OTMS.exe
  File Copy: C:\Program Files\Common Files\Media\OTUpdate.exe
  File Copy: C:\Program Files\Common Files\Media\winsrvc.exe
  File Copy: C:\Program Files\Common Files\Media\winsrvc.dat
  RegDB Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  RegDB Val: "C:\Program Files\Common Files\Media\winsrvc.exe"
  RegDB Name: PMedia
  RegDB Root: 2
  Self-Register: C:\PROGRA~1\COMMON~1\Media\OTGlove.dll

The lesson here is simple: If you receive a greeting card from FriendGreetings.com--or any other vendor for that matter--be certain you read the EULA in its entirety before accepting it blindly, otherwise you might compromise your system in some unforeseen fashion.