February 11, 2004
BuddyLinks - a new twist on IM spam

How annoying is this? I got an AIM message from a colleague I know and trust. Unlike usual conversations I've had with him, it gave only a brief message:

check this out... http://www.wgutv.com/osama_capture.php?{personal_identifier}
Clicking on the link opens a "game" webpage that asks you not only to download the game, but also to accept to give the downloaded code certain privileges (see screenshot (captured for future reference) below, click to see full page)

''Fun site'' advertising a fun game but luring unsuspecting users into accepting giving the ''game software'' extended privileges on their system

This, apparently, is involuntary viral marketing; a company called BuddyLinks (www.buddylinks.net) has created this IM spammer software, and once it's on your machine it will spam all your IM buddies in your name. This is a new and unique approach for IM spam, as it will bypass any whitelists of users you may have

Screenshot of buddylinks' homepage stored for future reference: (click to see entire page):

Information about buddylinks
"Your friends will love the the prize they receive in their funny news message. It might be a game or a funny flash cartoon"
Earth to buddylinks.net: Viral marketing works because people spread the word voluntarily. Cool flash games reach hundreds of thousands of users because they're cool and fun in themselves, not because they install themselves on users' PCs and spam unsuspecting friends!
If you would like to uninstall our game, and opt out of sending messages please just contact us at support@buddylinks.net.
Yeah. Right.
Sponsored links
Related Entries
Comments

"Your friends will love the the prize they receive in their funny news message. It might be a game or a funny flash cartoon"

No, they won't. Most "clever" cartoons, pictures and games aren't all that clever or original. And if it is, I'll hear about it elsewhere. I don't need people to forward them to me, and I certainly don't need a spammer to notify me that they exist.

Posted by: on February 11, 2004 11:19 PM

Whoops, forgot to sign that last comment...

Posted by: Adam Kalsey on February 11, 2004 11:22 PM

sweet, I was wondering if anyone else noticed this one yet. Thankfully it's terribly easy to remove.

This is mostly startling as spammers are using novel methods at attaining the location of live, active nodes in the social network. bravo, and *cringe*

any suggestions for crippling this type of approach other than to not click the link in the first place, or disable win32 handling by your browser?

Posted by: alton on February 12, 2004 12:27 AM

is there anyway to remove this buddylink? b/c i have trouble with it now and so do A LOT of my friends...if there is a way please e-mail me if u can with the subject heading "buddylink remove" or something along those lines or post a blog..i will come back later this week to check i guess...thank you

Posted by: joe on February 12, 2004 03:32 PM

Removal instructions here:
http://securityresponse.symantec.com/avcenter/venc/data/adware.buddylinks.html

Posted by: Anders on February 12, 2004 04:01 PM

More / alternative removal recipes here:
http://www.mjberger.com/archives/000096.html
http://compulsive.org/mt/archives/000382.html

Posted by: Anders on February 12, 2004 06:51 PM

More links and news about the Osama bin Laden BuddyLink game here:
http://www.jacobsen.no/anders/blog/archives/2004/02/13/buddylinks_revisited_and_removal_instructions.html
(... and several variants of removal instructions)

Posted by: Anders on February 13, 2004 03:27 PM

http://users.adelphia.net/~infestednexus/buddylinksremover.zip

^_^ Removal program / Prevention

Nice day!

Posted by: Ting on February 15, 2004 03:35 AM

Thanks for the info on Buddylinks. A few of their files popped up when I did a virus scan, and now I remember getting the IM witch you discuss. Tricky bastards....

TG

Posted by: tom glancy on March 7, 2004 02:10 PM

Does anyone have an optional way to delete adware keenval file? It attaches to the resgistry and pops up every time you start up. I tried to delete it by doing the Symantec istructions for going into safemode and deleting the c:recycler file but that file does not come up in the safe mode. When in the regular mode, it shows as running so you can't delete it. I was wondering if anyone else had this problem?
Thanks Marci H.

Posted by: Marci on March 8, 2004 06:47 PM

When someone posts the optional way to delete the keenval adware, will you please send it to me? My email is at my website.
Thank you!

Posted by: Kyla on April 11, 2004 08:57 AM

its weird just fond out got this buddy thing but don't have the buddy links folder

Posted by: Leeanne on May 13, 2004 10:59 PM

I still have remnants of both buddylinks.net and isearch toolbar infesting my computer. I have a directory c:/program files/buddylinks.net that I can't delete, even in safe mode. I've checked the registry and can't find them anywhere... but keep getting popups and adware all over the place... I've installed 3 different adware killers, but no luck...

Any suggestions?

Posted by: JB on January 2, 2005 09:23 PM
Post a comment
Name:


Email:
(Will not be displayed if you enter a website below. Otherwise, it will be displayed "spam protected")


Website:
(if you have one)


What do you want to say?
(please don't bother posting "spam" (pornography, viagra-sales etc - I will delete such comments anyway))


Remember info?



Referrers to this page
TrackBack URL for this entry:
http://www.jacobsen.no/cgi-sys/cgiwrap/anders/MT/mt-tb.cgi/729
Daily Dictum: Buddy Links Beware (February 12, 2004 03:13 AM)
" This, apparently, is involuntary viral marketing; a company called BuddyLinks (www.buddylinks.net) has created this IM spammer software, and once it's on your machine it will spam all your IM buddies in your name. This is a new and unique..."
MarketingWonk: 'BuddyLinks' Scheme Infecting IM Users (February 12, 2004 02:35 PM)
"In a scheme only a contract lawyer could love, a new program sends itself to all the IM buddies on a victim's computer, posing itself as a game that needs to be installed (and permissions given to do so). Once installed, it starts the process again, sp..."
rc6.org: BuddyLinks - A new twist on IM spam (February 12, 2004 02:58 PM)
"Anders got involuntary spammed by a friend of his. This is called involuntary viral marketing; "
Anders Jacobsen's sideblog: http://www.jacobsen.no/anders/blog/sideblog/archives/2004_02.html#000967 (February 12, 2004 03:36 PM)
"The BuddyLinks story has been picked up by CNN...."
Anders Jacobsen's blog: BuddyLinks revisited (and removal instructions) (February 13, 2004 03:18 PM)
"BuddyLinks has now been thoroughly described by a variety of press / online sites; here is a link summary + a variety of removal instructions - find one that works for you (if you got infected in the first place...)"

35153 visits (1 today, 35 this week)

© Anders Jacobsen
[weblog / photography]