America Online's internal "anti-SPIM" controls caused the inadvertent suspension of some screen names that had been infected with the Oscarbot/Doyorg Trojan.
America Online on Tuesday confirmed the inadvertent suspension of an undisclosed number of Trojan-infected AIM screen names.
The company said its internal anti-SPIM (spam over IM) mechanism flagged the infected screen names for terms-of-service abuse and led to the account cancellations.
The suspension is directly related to the virulent "Oscarbot" Trojan Horse that targets AOLs Instant Messenger users and propagates by sending IMs to every buddy on an infected users buddy list.
America Online Inc.s behavior-pattern tracking system noticed the unusual surge in IM activity and unintentionally flagged the infected users as potential IM spammers.
Unfortunately for Arshi Siddiqi and Kati Prendergast, two AIM users who were infected by the Trojan, the suspension has led to the loss of their valuable lists of contacts.
"My entire buddy list is lost, and I have met with great difficulty trying to retrieve it," Prendergast said in e-mail message.
She said AOL sent two separate cancellation notices and gave her the option of replying to challenge the suspension. "I did so both times because I feel that I should not lose an account I have been using for about six years and all of the set preferences that Ive created. It has been approximately a week since my first reply, and I have heard nothing back," Prendergast added.
AOL confirmed the automated e-mail process and promised it would investigate and reinstate the screen names.
Read more here about the Oscarbot virus.
Siddiqi, who lost access to a screen name he had been using for five years, described the episode as "extremely frustrating."
"It stopped working last week and I have been emailing AOL and filling out the form on the AIM Web site," he said.
"When an account is suspended, we send an automated e-mail with instructions on how to get their account unsuspended if they have been a victim of a virus, worm or Trojan," said Chamath Palihapitiya, vice president and general manager for the companys AIM and ICQ units.
In a statement released to Ziff Davis Internet News, Palihapitiya said AOL was "looking into each situation on a case-by-case basis and will reinstate affected accounts as quickly as we can."
"We appreciate AIM users loyalty and the investment they have made in building their Buddy Lists. We apologize for the inconvenience that the Oscarbot Trojan has caused and intend to do everything we can to eradicate it," he said.
In terms of volume, only a very small number of users are dealing with the inadvertent suspension problem.
The company plans to put up a notice on the AIM.com
Web site to handle requests for reinstatement.
Click here to read about security problems with America Onlines Netscape update.
The Oscarbot Trojan, which is also known as "Doyorg," spreads via a URL embedded in an IM labeled "Check out this
" or "i thought youd wanna see this.
When the link is clicked, the user is prompted to save/run an executable file that installs the Trojan. Oscarbot/Doyorg has the ability to contact a remote IRC (Internet Relay Chat) server and log on to a specified channel and wait for further instructions.
"One of these instructions can result in the bot program sending the aforementioned hyperlink to all recipients on the infected users buddy list. Technically not a worm, this threat requires a bot commander to initiate the spimming routine," anti-virus vendor McAfee Inc. said.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.