Threat Profile: Friend Greeting

Threat Search
Virus Profile information details
Risk Assessment: Home N/A | Corporate N/A
Date Discovered: 10/24/2002
Date Added: 10/24/2002
Origin: Unknown
Length: 1,142,044 bytes
Type: Program
Subtype: -
DAT Required: 4231
Removal Instructions


This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.


Presence of the following files:
  • Friend Greetings.msi or Friend%20Greetings[1].msi
  • %Program Files%\Common Files\Media\Otms.exe
  • %Program Files%\Common Files\Media\OTDock.dll
  • %Program Files%\Common Files\Media\Otglove.dll
  • %Program Files%\Common Files\Media\Otupdate.exe
  • %Program Files%\Common Files\Media\Winsrvc.dat
  • %Program Files%\Common Files\Media\Winsrvc.exe



Friend Greeting.eml,, W32.Friendgreet.worm (Symantec)

Virus Characteristics

-- Update 11/21/2002 --
AVERT has reclassified a component that gets installed by the Friend Greeting application as a trojan, resulting in trojan dropper detection of the Friend Greeting application installer. For more information read the Hide Minimized trojan description.

Due to the fact that this program requires users to download an installer, and agree to allow the program to email a link back to the website to all Microsoft Outlook contacts, this is not considered to be a virus. However, application detection is included in the 4231 DAT files when using the command-line scanner. See the removal instructions for more information, and for a way to prevent the mass-mailing from taking place, should users install this application.

This application works when visiting a specific webpage on the website. A link to this page arrives in an email message as described below. Once this page has loaded, users are prompted to download and run an installer package.

Selecting YES will download the installer.

An MSI installer package is run and the user is prompted to accept 2 End User License Agreements (EULA). Within the second EULA is the following statement:

1. Consent to E-Mail Your Contacts. As part of the installation process, Permissioned Media will access your MicroSoft Outlook(r) Contacts list and send an e-mail to persons on your Contacts list inviting them to download FriendGreetings or related products. By downloading, installing, accessing or using the FriendGreetings, you authorize Permissioned Media to access your MicroSoft(r) Outlook(r) Contacts list and to send a personalized e-mail message to persons on your Contact list. IF YOU DO NOT WANT US TO ACCESS YOUR CONTACT LIST AND SEND AN E-MAIL MESSAGE TO PERSONS ON THAT LIST, DO NOT DOWNLOAD, INSTALL, ACCESS OR USE FRIENDGREETINGS.

Once this agreement has been accepted, the program emails all users in the Outlook Address book with the following message:

Subject: %Recipient% you have an E-Card from %Sender%.


%sender% has sent you an E-Card -- a virtual postcard from
You can pickup your E-Card at the by clicking on the link below.

I sent you a greeting card. Please pick it up.
Use the ADD/REMOVE Programs Control Panel in Windows to remove the Friend Greetings application, as well as the WinSrv Reg application. This will uninstall this program.

Should the installation log for the application get deleted, the ADD/REMOVE Programs option will fail. This can happen with most applications. Should this occur, users are faced with the daunting task of hunting through the Registry for references to the application in question, in this case "Friend Greeting", removing all entries found, restarting the system, and then deleting those files related to the program. Such actions should not be done by a novice user, as incorrectly removing registry entries and files can result in a loss of functionality.

Versions prior to Friend Greeting (IV)

    This application installer creates an executable named TAFW.EXE. This executable is responsible for the mass-mailing routine. Before mailing, it checks for the presence of a file name AS.INI in the \Program Files\Common Files (%ProgDir%\Common files) folder. If this file already exists the application does not mass-mail. If it does not exists the mailing commences, afterwards the TAFW.EXE file creates a 0 byte file name AS.INI. To prevent potential mass-mailing of this application, administrators and users may wish to create this INI file:

When using the specified scan engine, the command line scanner with the /PROGRAM /CLEAN switches will detect and remove this application when using the specified DAT files. On access scanners will not detect this application, except for gateway scanners.

  1. Ensure that you are running the specified DATs and Engine
  2. Click the START button
  3. Click RUN
  4. Type COMMAND and hit ENTER
  5. Type: c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c: /program /clean and hit ENTER.
Administrators may choose to block the following sites associated with this application:

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!