~ WeatherBug ~
         Back to malware   

Published @ www.searchlores.org in November 2004   (Version 1.09: January 2005)



Weatherbug's nasty habits
(Investigating spyware)
by Shinoara
See also below: An answer by WeatherBug (January 2005)
See also below: A reply by Shinohara (January 2005)

What is WeatherBug?

WeatherBug is a software program by AWS WeatherNet that provides free weather updates (for American cities) from a small icon in the systray. WeatherBug will give you details about your current weather conditions including temperchure, pressure, and many other, all compiled from your local weather report from your local TV station. If you click the icon you can also get several day forecast, storm alerts, alerts, maps, radar, plus much more:



You cannot see it from this screen capture (because I have turned off all images in IE and WeatherBug utilized IE's GUI engine) but WeatherBug runs ads in the banner bottom and it periodically sends pop up ads to your desktop. WeatherBug may bill itself as a totally free application, but it supports itself via those display ads and via aligning itself with TV stations (in this case CBS) and other various sponsors that you can see on their interface. It is a slick program that is working extermly hard to appears very useful to the average computer user. According to their website, Weatherbug is not spyware. They say that their software does not monitor, collect data or 'spy' on its user base. They even include links to the most popular anti spyware apps such as SpyBot and AdAware and invite you to download them and install them and to check your system. This made me laugh because they totally screwed on this one since upon running SpyBot officially declairs them to be a a problem, calls them adware and possible spyware, points out possible problems with their (Weatherbug's) privacy policy and asks the user of it wants Weatherbug removed. I have provided a detailed proof of that below.


How do you get WeatherBug?

WeatherBug finds its way on people's PC from variety of ways. You can certanly download it off their web site but that is not the only way. Talking to many people who have been infected with WeatherBug and asked me what it was and asked me to remove it from their systems it would appear to me a vast majority of WeatherBut users never asked for WeatherBug to be installed, or their WeatherBug installation came via other route, possibly a P2P app. Some people didn't even know what that little icon on their SystemTray was, nor they have ever used it.


My involvment with WeatherBug

began when I wrote an article on various spywares and posted it on searchlores. A copy of it also appeared in a recent issue of 2600 Hacker's Quarterly magazine and it was a great success. Many people emailed me thanking me for writing about those nasty modern dangers and asking me for a posibility of a reprint or if they can include it in their own magazines. It also drew the attention of the WeatherBug people who sent me an unpolite email, demanding I fix my article and issue a prominent retraction and how soon can i do that because they claimed I had called WeatherBug a spyware when I had never done such a thing. I also began seeing WeatherBug installed on many of my clients PCs and most of them didn't even know what it was or how it was used. They didn't even remember when it was installed or how. I decided to take a second careful look at WeatherBug and write up a follow up on what I find.

Oh yeah, and here is the retraction WeatherBug people asked f'r:

In my article Spyware, Adware, Scumware, Sneakware I incorrectly stated that Gator comes attached with the WeatherBug utility. For that I apologize. I have done more research on WeatherBug and here is my report:

WeatherBug review

I began by downloading a fresh version of Weatherbug and installing it.

WeatherBug started by asking me for my Zipcode.

The next screen showed me what will be installed on my system:




That was the free WeatherBug 6.0, the WeatherBug companion plus the following buttons:

MySearch, Google, Yahoo and Ask Jeeves.

As you can see, a checked option there will make My Search into my default stat up page. Since I have my own start up file, I unchecked the Set MySearch as your default browser box and continued. Let me stop here for a second and ask how many users know enough to read everything and uncheck that function, otherwise they will find their start up page quickly changed.

Next, I was asked to fill in a bunch of info. They asked me for my: gender, email address, zip code (again), year of birth, type of Internet connection I have, how many times have I previously registered WeatherBug, if I wanted to receive product updates and special offers (read SPAM!), Industry, Job function and job title, whether (couldn't resist) I participate in outdoor activities, what my income is, and so on. I filled everything with all-fake-info, and clicked next. Almost immediately, an icon advertising a $9.95 Internet service was placed on my desktop. When I clicked on it, my Mozilla browser went to the following web site:
https://register.isp.netscape.com/default.jsp?promo=NS_2_6_24_2004_1_1. It was an ad for Internet Service by Netscape.





How nice. WeatherBug spams its users with unwanted advertising.

After the install completed, I began to search my system to see what specific modifications have been done to it. Here is what i found:

Using Start->Run-->regedit I found numeral Registry keys that had been modified, but nothing was added to Run. When I tested the starting up applications via Start->Run-->msconfig, I saw that WeatherBug had been added to start up next time I would reboot my computer.





I really abhor that practice, so I removed it. Now let me ask you: How many average users would know how to do that? Not too many I am afraid, so most of the people who install WeatherBug would NOT know how to stop it from starting up every time the PC is booted.

Several search buttons had been added to the tool bar of my Internet Explorer browser. They were:
MySearch, Google, Yahoo, AskJeeves, Look Smart, Highlight, WeatherBug companion 95.





Now correct me if I am wrong, but I don't remember asking for these buttons to be added to my IE; yet there they were. Sure, I had given my permitting, at the very beginning, but I certainly didn't know IE would be modified. I have seen them on countless PCs, and people are constantly asking me how to remove them. Yes, those buttons were shown at the beginning of WeatherBug instillation, but do the majority of users really understand the buttons will be added? That is NOT a rhetorical question either.

I clicked on MySearech button and it sent me to their web site at: http://ms101cfg.mysearch.com/ms101cfg.jsp. I decided to do a quick search for rabbits just for the heck of it.

I stared my TCPViewer to watch what places would WeatherBug connect to. Here are some of them:








Next, I began investigating what had been installed inside Program Files. A My Search folder had been added. Inside it, was a ban folder. inside the bar folder were the following folders:
1.bin, Cache, History and a Settings folder. History caught my eye. Inside it, there was a file named search. I opened it using Notepad. Inside it there was a long string like this:

     z28 s.4 z28 h5> fOe fOe fOe fOe fOe fOe s.4 u@M fOe fOe fOe
 fOe z28 s.4 s.4 s.4 fOe fOe fOe fOe fOe fOe fOe s.4 ‚5< fOe fOe fOe fOe fOe 
 fOe u@M s.4 s.4 s.4 s.4 s.4 s.4 s.4 fOe fOe fOe fOe s.4 s.4 s.4 s.4 h5> fOe
 fOe fOe h5> s.4 s.4 s.4 s.4 fOe fOe fOe fOe s.4 s.4 s.4 s.4 s.4 s.4 s.4 l+1
 s.4 s.4 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4
 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1
 s.4 l+1 s.4 l+1 s.4 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1
 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1
 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 e   (. l+1 l+1 l+1 e   (. l+1 e   (. l+1 
 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. 
 l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ 
 $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ 3ˇŌ ##*     ##*     #U€ $©˙
 $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ 
 $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙

I don't know what it all meant, but I decided to do some searches on My Search's web site and see if the string would change.

When I opened the files.ini, I saw a string with today's date that looked like a cookie.

sb&v 2.0.1.5&e eb3c&r 2&l 9&c 01&a 124D0D29-2C60-465D-A079-5EFFBDBF3CF6&n 2004092716=00DA3228 The date was: 2004-09-27, and I have underlined it inside the string.

Suddenly IE popped up an applet, asking me for permition to install Macromedia Flash Player. I find Flash Player annoying and unnecessary, so i replied no.

WeatherBug used Explorer's GUI for their interface, but since I have turned all the images off in IE, WeatherBug was not able to display any ads down on the buttom.

I closed IE, shut down WeatherBug, then restarted them all again. Did a few quick searches on rabbit care, Bulgarian and diamonds using MySearch. I went back to C:\Program Files\MySearch\bar\History\search and noted the time stamp for the last time the file had been modified file had been updated to 2:19 PM. I again opened the search file with with Notepad. To my honest surprise, some of my previous searches were displayed:

#   
   #   
rabbits care	bulgarian fOe fOe fOe fOe s.4 u@M fOe fOe fOe fOe z28 
s.4 s.4 s.4 fOe fOe fOe fOe fOe fOe fOe s.4 ‚5< fOe fOe fOe fOe fOe fOe u@M s.4 s.4 s.4
 s.4 s.4 s.4 s.4 fOe fOe fOe fOe s.4 s.4 s.4 s.4 h5> fOe fOe fOe h5> s.4 s.4 s.4 s.4 fOe
 fOe fOe fOe s.4 s.4 s.4 s.4 s.4 s.4 s.4 l+1 s.4 s.4 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4
 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4
 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 s.4 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1
 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1
 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 l+1 e   (. l+1 l+1 l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1
 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1 e   (. l+1
 e   (. l+1 e   (. l+1 $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ 
$©˙ $©˙ 3ˇŌ ##*     ##*     #U€ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ 
$©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ $©˙ 
So my searches are saved inside the search file. Are they send back somewhere to some server? I didn't have an answer to that question yet. Monitoring the ports with TCP/IP, I saw constant chatter back and forth between mutiple servers and my machine. IE popped another applet, again asking me to install Macromedia Flash Player. Nope, sooooorry.

Clicking on the X didn't shut WeatherBug down. Instead I was told that WeatherBug will remain connected inside my system tray to give me current temperature readings and allow me to receive life-saving alerts. Sure. I had to right-mouse click on the icon inside SystemTray to shut it down.

I decided to run SpyBot to see what it says about WeatherBug. To my amusement, SpyBot:

I felt justified, now that others have also called WeatherBug adware and possible spyware.

Here are the screen captures from Spybot that I offer as proof:

In this image you can see SpyBot:






here, you can see SpyBot identifing WeatherBug ad plug-is as Adware and possible spyware:







in this image you can see SpyBot identifing MySearch that was installed as part of WeatherBug package as adware/possible spyware:







here you see where MySearch altered the Registry:









Conclusions:

WeatherBug appears cute and useful, but it is definetly not as benign as they claim. They are not a spyware (which I did not say anyway), but they certainly do many questionable things when installed. Let's list them:

Sure, they have the right to do so since they have to pay their bills. Sure, I agreed to install them. On their web site they claim that they are not adware, yet they are supported by ads. That makes them adware.

What's even more amusing, they have a link to SpyBot on their web site. After I installed WeatherBug, i did run SpyBot and it listed all the MySearch instances as adware/possible spyware, plus it targeted WeatherBug itself as adware and asked me if I wanted them to be removed.


Use WeatherBug at your own risk. In fact, Weatherbug is not needed. You can quickly find weather information about your country and region via many other ways.

WeatherBug alternatives

There are many. Here are some of them (thanx to Fravia+):

International Weather Conditions

at
http://weather.noaa.gov/index.html. Simply select a US state or a country for International Weather Conditions of current weather and weather conditions for the past 24 hours

The major search engines carry detailed info for each world region. For example, here is weather forecasts for the Mediterranean: http://weather.yahoo.com/regional/MEDITER.html (yahoo weather with North African, Italian and Greek places, useful for sailing :-)



Yahoo's main weather page is at at http://weather.yahoo.com/. It's got tons of links there, you can choose http://weather.yahoo.com/imgindex/world.html for the world, or http://weather.yahoo.com/imgindex/uscities.html for US cities and http://weather.yahoo.com/imgindex/index.html for US national.

Among its many links Yahoo offers cool US satelite images at http://weather.yahoo.com/img/ussat_440x297.html


I will let you find more weather links on your own...

This ends the WeatherBug article. For any corrections, additions, hate mail, love letters and so on, contact me at shinohara-at-ziplip.com.



(c) shinohara 2004

An answer by WeatherBug (January 2005)
WeatherBug incorrectly identified

Dear Fravia and crew:

I would like to correct some of the information in the posting at
www.searchlores.org/weatherbug.htm

First, our company is formally called WeatherBug, with parent
company AWS, not AWS WeatherNet.  WeatherNet was a separate part
of our company that distributes our award-winning education
software that teaches kids about weather through science and math. 
That division was formally renamed as part of WeatherBug quite a
few months ago.  I do not believe AWS WeatherNet ever distributed
a consumer product- though there may have been a separate product
for the 7000 schools that have our weather stations installed.

My team and I test our program against dozens of the top spyware
detectors and similar programs every week.  In the rare event that
our product or partner products are misidentified, we contact the
company, ask them to test it and await the results.  It took Giant
software 1 day after we formally notified them during their recent
beta test to verify we are not spyware nor adware and they removed
us.  It took Spyware Doctor about 2 weeks (they are overseas and
it was right before Christmas).  With Spybot, because it was 1
person running the company in Germany, it took us a bit longer. 
Spybot has NOT listed WeatherBug or any components (Minibug) in
about 9 months.  I do not know when that screenshot of Spybot was
taken that appears on your page, but not since late April or early
May of 2004 have they shown us.  I just tested it once again
before writing – no minibug, no WeatherBug, no AWS listed. 

It is possible you were using old files from pre-May 2004 when you
took the screenshot.  I’d encourage you to test again and it
should be clean.  I think you’d agree that it would seem unlikely
that a company with 20 million unique users a month would post a
link to encourage those members to download Spybot if they were
listing us as a threat. 

You stated you did not like the program starting up when a
computer is first booted up.  This is easily fixed by clicking the
PREFERENCES button on WeatherBug 6.0 and the CONNECTION tab and
unchecking the top boxes- it does not require registry
readjustments, though I’d imagine if one wished to, this could
work as well.  We want users to be able to customize their
WeatherBugs as much as possible, therefore we put options to
customize right in the PREFERENCES button at the very top of the
main screen.  You can even customize the level of alerts you wish
to receive from the National Weather Service alert system or the
times you DON’T want to receive alerts.

Regarding the WeatherBug Browser Companion toolbar by MySearch and
Netscape icon- it appears you selected the STANDARD installation
instead of the CUSTOM installation.  We, like Yahoo toolbar and
many other programs, offer both a standard install which includes
other programs we are integrated with, and a custom install that
allows users to easily opt out of installing any other software or
icons they do not wish to have.

If you wish to verify this, I’ll be happy to send you the full
uninstall instructions to remove WeatherBug from your registry,
then you can go back and redownload and click the CUSTOM install
to see the option not to install these components.

Regarding your CONCLUSIONS section, we do appreciate you correctly
stating that we are NOT spyware (as well as correcting the
misinformation in your magazine article that we come bundled with
Gator.)

If your definition of ‘adware’ is any program that has ads, then
yes, along with AOL Instant Messenger, Yahoo mail, hotmail, the
Weather Channel’s desktop weather app and many other programs, by
that definition we would be adware.

We do not ‘hide’ keys in the registry to make it difficult to
uninstall.  In fact, we offer in our customer support templates
the very instructions to that.  Just go to www.weatherbug.com/help
and click the 6.0 version (since that’s the version you show) to
get 6.0 FAQs- the 3rd question is “HOW DO I UNINSTALL” and when
you click it, there is a link that gives full registry uninstall
directions.  Placing information in the registry after downloading
is no different than many programs (including some well-known
spyware detectors) that leave information behind so it recognizes
you as a former customer.  They do this sometimes because they
have 30 day free trials of their software and don’t want you
simply uninstalling and reinstalling to keep getting the free
version.  We do it so we don’t count you as a new customer.  We
can therefore legitimately say we’ve had over 50 million downloads
and over 20 million unique users a month without counting people
who may have uninstalled and reinstalled multiple times.

We do NOT require a valid email address to register.  We require a
valid US ZIP code (international users can go to our website
ww5.weatherbug.com) to give you your local weather.  If we did not
require this, anyone who made up a ZIP, say 01234, would default
to our headquarter’s weather outside Washington, DC, which would
not be helpful unless you live in Gaithersburg, Maryland. 

Regarding points 4 and 5 about the toolbar, please see the CUSTOM
install information previously mentioned.

Regarding point 6, WeatherBug 6,0 serves no pop up ads and does
not send unwanted spam- again, we don’t even require a valid email
address- there is no “click here to confirm” link sent to an email
necessary to activate like some weather programs.  Like most
companies, we have valid unsubscribe links at the bottom of ALL
WeatherBug emails (and require our advertisers to have the same)
and of course a user can simply email us, asking to unsubscribe,
which we will gladly do for them.

Regarding the claim that the author of the article in the magazine
called us spyware, while it’s been quite a while, I do recall the
author of a letter, possibly in response to the article, saying
something to the effect that our partnership with the Dept. of
Homeland Security means we secretly transmit or share data about
our users with them.  Other than sounding like a plot for a good
conspiracy movie, this has not a shred of truth to it.  PERIOD. 
Our partnership with DOHS is that we, unlike the National Weather
Service (where the weather for all the other websites you
recommend comes from) have 8000 of our OWN, exclusive live weather
stations.  Plus the 1000 NWS stations- most of which are at
airports and only update once an hour.  Therefore, if God forbid,
this country is attacked again, let’s say with a biological agent,
within seconds the DOHS can get LIVE, wind speed, temperature,
humidity, and precipitation data from any of our 8000 stations. 
If they had to rely on the NWS sites, 1) these are at airports
often many miles away from the actual city, and 2) the data they
get can be up to an hour old.  DOHS decided that getting wind
direction from 60 minutes ago probably isn’t going to help much
right now if they need to make a decision to evacuate.  That is
why they partnered with us, not to get secret data.  Again, the
ONLY information we require is totally non-identifiable- your ZIP,
whether you’re male or female, your age range, and how you connect
to the internet.  This allows us, like most companies that ask it
(even free email services ask this) to better determine the
demographics of our users.

Thank you for taking the time to read this and I hope you will
consider posting a reply.  Please contact me should you wish to
edit parts of this email for posting.

Sincerely,

Jay Hoffman
Manager, WeatherBug Customer Support


A reply by Shinohara (January 2005): Wetaherbug indeed: it's a Bug!

---------------------------------
More smoke and FUD (fear, uncertainity and doubt) from Weatherbug. They have stooped so low, they have to drag Bush and Co's "war on terrorism" into the discussion, have the audacity to talk about "possible" bio attacks and mention some "conspiracy nut-sounding letters by some writer" that I HAD NOTHING to do with and that are NOT relevant for my article at ALL.

My article was written during September 2004 on a version of WeatherBug newly downloaded in September 2004 and installed immediately thereafter. The exercise was to perform a typical installation of Weatherbug (NOT a custom installation), dissect it and see what exactly Weatherbug does once it lands onto an ordinary PC. Nothing more and nothing less. Install EVERYTHING -> do not refuse anything -> observe -> comment.

Funny how their only suggestion to ALL my points is to perform a custom installation and turn off all the "free offers". It is eyeopening how they fail to discuss the real issues - why they keep data on all searched webaddresses, why the data is collected and how and why it is shared with other third companies. Instead they post a long paragraph about some imaginary bioterrorism scares and about changes of the Weatherbug parent companies' names. Who are AWS and AWS WeatherNet and how they are associated with Weatherbug is irrelevant. What is relevant is what the software called Weatherbug does.

Software obviously changes and newer versions will be different from older ones. My article talked about a September 2004 version, NOT about a pre-May 2004 version. I certainly do not intend to rewrite the same text over and over again every time a new version appears, so the text may well stay as it is.

The only reason Spybot and other spyware software do NOT list WeatherBug anymore today is because they probably had some long, "civilized" discussions with them and persuated Spybot and others to cancel them from their lists of possible Adware/Spyware. So what? Dropping WeatherBug from different spyware and adware removal utilities' lists doesn't change how the WeatherBug software itself behaves.

The review was based on a simple every day installation as done by an ordinary every day average computer user. I have had extensive contact and have deep knowledge of "ordinary users" operation patterns and thoughts, since my job is computer support tech. The average computer user doesn't know even how to choose the custom installation. Therefore most of the claims made by weatherbug fail to address the point I made. Moreover I speak out of experience. I have personally seen plenty of PCs where WeatherBug was installed and where people asked me how, please, to uninstall it. Weatherbug has joined the long list of companies like RealPlayer, that produce software that the support stuff later has to keep on removing from PCs, on users' request, over and over and over.

As a final thought, I actually thank Weatherbug: they are one of the companies that keep me employed. I still get a lot of phone calls from people who want WeatherBug uninstalled from their PC! Seems there are plenty of computer users, besides me, who finds this application troublesome and annoying.
------------------------------------------

(c) shinohara 2005



Back to malware


(c) III Millennium: [fravia+], all rights reserved