Focal Curve

Trojan-style Spamware Hiding Behind Funny Videos

Spams have been circulating lately directing recipients to a website where they can see the famous video of Bill Gates being smacked with a pie (among other funny clips.) However, upon arrival at the site, the user is prompted with an Active-X control to install “Internet Optimizer” before proceeding to the hilarity. Accepting the license agreement to install the Internet Optimizer grants explicit permission for the software to harvest and spam the user’s address book and IM contacts, as well as to access the user’s machine to install and remove whatever software they like whenever they like in the future.

All of this is clearly explained in the license agreement, and thus the perpetrators are not technically doing anything deceptive or illegal, they’re merely counting on people’s natural tendency to ignore legal mumbojumbo and click straight to the “Next” in an effort to make the annoying dialog window go away. It’s sleazy marketing and the Internet Optimizer should be treated like any other destructive virus.


As it turns out, there are actually three different applications involved in this scam. One called App/ViewMov-A or sometimes App/CrmRest-A, which streams the video content, and then Internet Optimizer itself, which installs alongside the movie viewer.

Internet Optimizer (IO) is referred to in security and anti-virus circles as App/Optimiz-A. When installed, IO hijacks Internet Explorer’s error pages. Instead of getting a standard 404 error page from the server you were trying to reach, you’ll be redirected to a search page at internet-optimizer.com. While this seems fairly harmless, it’s the trojan aspect of Optimizer that poses the greatest security risk. The software opens a hole in your operating system which allows remote programs to download and install without your knowledge or consent. It has also been known to cause random system crashes and to interfere with normal web surfing.

Internet Optimizer is developed and published by a company called Avenue Media. It can be installed either bundled with other pieces of software or in drive-by downloads from websites. The aforementioned movie spam points you to movies-etc.com, which is owned by Avenue Media. MoneyTree, the people behind the infamous “punch the monkey” banners, has also been accused of installing Optimizer.

The license agreement associated with the ViewMov-A variant of IO that is distributed from movies-etc.com, includes the following disturbing paragraphs:

“In consideration for viewing of video content, Avenue Media may send email to your Microsoft Outlook contacts and/or send instant messages to your IM contacts offering the video to them on your behalf. By viewing the video content, you expressly consent to said activity.”

“For your convenience, [IO] automatically updates itself and any other [IO]-installed software to the latest available versions at periodic intervals. In consideration for this feature, you grant Avenue Media access to your machine to automatically update [IO], add new features and other benefits, and periodically install and uninstall optional software packages.”

The agreement further states that any additional software installed via the ports opened up by Internet Optimizer will automatically be
subject to the same licensing conditions.

Your best bet to remove this parasite is to run AdAware and Spybot Search & Destroy, making sure both have current updates. Both of these should detect and safely remove Internet Optimizer, as well as many other pieces of spyware you may have installed. It’s worth running both, as each one is slightly different and one will often catch bugs the other misses. This pair of free programs is essential to any sufficiently paranoid computer user, along with ZoneAlarm personal firewall, which will alert you when some bit of hidden spyware attempts to access the Internet.

Most of this info has been gleaned from a good writeup on doxdesk.com, which goes into further technical detail and includes instructions for manual removal. But if you’re uncomfortable editing registry keys, which most people are, you’re better off running one (or both) of the spyware scan/removal tools. Since this effects only Windows operating systems and only Internet Explorer, other browsers and OSes are essentially immune. And of course my best advice is to avoid infection by spyware in the first place by not visiting websites advertised in spam, not granting these strange websites permission to install software, and thoroughly reading the licensing agreements to see just what you could be getting yourself into.

Comments are closed.