The following is from my Bugnet subscription. You might want to pay close attention, but don't go there. Regards, Henry S. Winokur PC .HLP 301-320-2104 ============================ //--------------------- BugNet: Alert 3/23/2001 ---------------------// Don't "PassThisOn" Joke Website Plays Cruel Tricks on Your Computer By Eugene Woodbury Have you heard of PassThisOn.com? If not, don't go there until you've read this first. If you have, you were probably forwarded to the site via an e-mail message from a "friend." And at first glance it does seem rather harmless. The material comes in two categories: "funny" and "sentimental," and ranges from the schmaltzy to the patently juvenile. Visitors are encouraged to recommend favorites to their friends. The site's creator, Sanford Wallace, boasted to Salon Magazine (http://www.salon.com/business/feature/2000/08/28/metrix/index.html), "It's like a pyramid scheme, except nobody loses money." So why does this site exist? Well, consider that Sanford Wallace once proclaimed himself the "king" of spam. Now, he doesn't spam your e-mail inbox, he "spams" your browser instead. Pop-ups like Rabbits This you'll discover as soon as you attempt to leave the PassThisOn.com site. Embedded in the HTML code is a mischievous piece of JavaScript that has other things in mind. After hitting the back arrow, typing in another URL, or even closing Internet Explorer, an embedded HTML tag called an "event handler" opens another page tied to the PassThisOn.com site. This page, in turn, spawns a "joke" page that attempts to solicit more personal information from you, and then a dialog box asking, "Do you like fun pages?" Click "Yes" and the script will (supposedly) make PassThisOn.com your browser's default web page. "No" and it brings up another advertising page. Closing that page will trigger a second dialog box, this one claiming that "You can now receive a FREE installation of PassThisOn.com's new 'WIN SOMETHING EVERY TIME YOU CONNECT TO THE NET!'" Click "Yes" and you will be prompted to download and execute a file called WIN.VBS. Clicking "Cancel" spawns a third dialogue box asking you again to make PassThisOn.com your home page. This dialogue box employs a misleading double negative: the correct answer is "Yes." However, we observed no consequences to clicking "No." This piece of code apparently does not work. And none of these JavaScript routines were observed to do anything more in Netscape 4.7 or 6.0 than spawn pop-up browser windows and bring up the second dialogue box, after which the Java routine crashed. You Can't Go Home, Again If you answered affirmatively to the first dialogue box, you will discover upon restarting Internet Explorer that PassThisOn.com has NOT become your default home page. Every time you start your browser, you will be redirected to an advertising site, in full-screen mode. This is how Mr. Wallace makes his money, and judging by Internet traffic reports, a lot of it. This problem can be fixed by going to your preferred home page and clicking on Tools > Internet Options > Use Current. You will, of course, have to wade through all the pop-up dialogue boxes and pages every time you leave one of PassThisOn.com's advertising sites. However, if you accepted the offer to 'WIN SOMETHING EVERY TIME YOU CONNECT TO THE NET!', and executed the WIN.VBS file, you are in a good deal more trouble. A Trojan by Any Other Name This Visual Basic script extracts another Visual Basic script, REG.VBS, into the C:\WINDOWS\Start Menu\Programs\StartUp folder. Thereafter, every time you start up your computer, REG.VBS writes the PassThisOn.com URL to the HKCU\Software\Microsoft\Internet Explorer\Main\Start Page key in the Windows Registry. This is a common (though obvious) ploy used by computer viruses. It means that even if you reset your default home page, your browser will always hit PassThisOn.com first and resize the browser to full-screen mode. Among other things, it's simply annoying (it also artificially increases the site's page views). The first thing to do, in any case, is delete REG.VBS from the C:\WINDOWS\Start Menu\Programs\StartUp folder. In the Start menu, click on Programs > Startup. Right click on REG.VBS and select Delete. To remove the key from the Registry, you will have to run REGEDIT. Because the Registry is critical to the life of the computer, it's always a good idea to make a backup before making changes. In the Start Menu, click on Run, enter REGEDIT, and click OK. When the Registry Editor comes up, click on Registry > Export Registry File. Under Export range, select All. Enter a name for the file (the exact name is not important) and click OK. After the Registry is backed up, go to the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer key by clicking on the "+" sign next to each key. In the Internet Explorer key, select the Main folder. Right click on Start Page and select Delete. Then close REGEDIT. The next time you start Internet Explorer the home page will default to http://www.msn.com. After entering the URL for your preferred home page, click on Use Current in Tools > Internet Options. This will re-create the key, and reset the default home page. Or, while in REGEDIT, instead of deleting the Start Page key, you can choose Modify and manually edit the URL. Just Not that Funny Mr. Wallace, we're sure, would insist that the antics described above are covered in the fine print. According to the fine print, "PassThisOn.com prompts and changes consumers' browser behaviors to offer a better user experience and a more targeted advertiser-to-consumer communication system." That's a sentence that lends a meaning to "better" hitherto unknown in the English language. And while the fine print claims that "PassThisOn.com does not sell or rent its list under any circumstances," they do "log all IP addresses" and use "cookies to authenticate users' identity." It pays to read the fine print. At the very bottom of the page is a link titled, "Click here to exit now." Clicking on the link will halt the JavaScript routine and close the browser window without further ado.
