The program, which appeared yesterday, spreads by appearing to be a recommendation from an AIM user that encourages contacts to visit a Web page to download a video game.

That Web page resembles a news site, displaying "WGU News Player," and featuring headlines including "Saddam Escapes" and a page title that reads "Osama Captured Shortly After Saddam Found." On visiting the site, users are prompted with an Internet Explorer security warning asking them if they wish to install and run the program "News Player Applet."

However, buried in the software's accompanying End User License Agreement (EULA) is a statement that AIM users who download it explicitly give their permission to send marketing messages to their Buddy List contacts. In this way, the program can spread itself by sending links to the Web page -- while seeming to come from a known contact.

"Here is where the problem lies," said Bryson Gordon, senior product manager for McAfee Security's consumer division. "The vast majority of people, when presented with one of the security warnings where they can go in and read an EULA and find more information about what it is they're actually going to be sticking on their system -- they ignore it. Most people are going to simply click 'Yes.' But by doing that, the application is going to be installed on your system. It will then go in and essentially harvest your Buddy List and send copies of itself to people."

The program's EULA indicates that it was designed by Cambridge, Mass.-based PSD Tools LLC. The Terms read, in part, that "...the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or 'buddy' list regarding Content offered by PSD Tools or its suppliers."

PSD Tools did not respond to inquiries by press time.

The application's EULA also indicates that "Osama Found" uses the company's BuddyLinks technology to spread itself and partners' marketing messages via IM. (On its site, PSD Tools writes that BuddyLinks "provides a revolutionary new way for instant messenger users to instantaneously share entertaining content with their entire IM 'buddy list' network all at one time.")

But critics charge that EULAs, which are typically pages long and contain extensive legal language, can often be used to obscure programs' actual effects from consumers.

"The install program for the BuddyLinks software really should explain how it operates," said veteran computer privacy expert Richard Smith. "A user shouldn't have to be a lawyer and read a license agreement to see what they are buying into."

Yet, the WGU News Web page provides little indication that users are downloading anything other than a game or a media player. Tiny type on the page reads, "This download is BuddyLinks-enabled -- links to this game will be automatically shared with your IM buddies. Note: This is not an actual news story. This is the prologue to a Flash video game." However, the notice is likely to require users to scroll down to read it -- which is impossible with an open IE security window. Notices also appear in the application's Terms of Service, and on PSD Tools' affiliated BuddyLinks.net site, revealing that the Osama program is adware.

"Our game has grown so fast that we have received some emails and phone calls asking about the nature of our [F]lash games," the BuddyLinks.net site reads. "Our games interact with instant messengers by promoting the game among the user's network of buddies. Please understand, our [F]lash games are in no way a virus. We simply combine peer-to-peer, social networking, and instant messaging into one spectacular technology."

Not surprisingly, AOL is not as admiring of the technology.

"This is probably a violation of our AIM Terms of Service, which prohibit spam or using an account to spam," said AOL spokesman Andrew Weinstein. "We're investigating legal steps that we might take. We're obviously working to protect our users from this adware."

"It's definitely an inconvenience, and a really slimy piece of adware," he added. "It's obviously intrusive, annoying and potentially dangerous -- it's difficult to know what can be installed through the application."

Weinstein added that America Online is looking into ways to block the application's activity -- but was hampered by the fact that AOL has little direct control over the program's spread.

"We can't block people's access to that Web site, and we don't monitor traffic between users," he said. "We don't monitor what the content of messages form one user to another are, so there are some technical challenges. We can't intervene in that stage of the process."

Fortunately, the program can be easily uninstalled through Windows, if users remove an application titled "buddylinks.net Messaging Integration." Consumer and enterprise anti-virus programs, such as those marketed by McAfee and its competitors, also provide for notifications about and the removal of such programs.

AOL's AIM.com site also will host information on disabling the program. Weinstein also said AOL warns its users to "be very cautious about installing or downloading any programs without knowing the source and what it's going to do."

While AIM, as well as other IM networks operated by Microsoft and Yahoo!, have occasionally fallen victim to viruses and worms within the past year, the "Osama Found" program's use of similar technology for purely marketing purposes make it a novelty.

"I think there have been a couple of smaller worms our there ... but those are more security holes," Weinstein said. "This is a piece of adware -- a user consents to download it -- but it's just very unclear that a user will know what it will do when they download it."

Similar complaints have been lodged against pop-up advertising programs, such as those created by Gator.com (now Claria) and WhenU.com. Both have landed in legal trouble because critics charged consumers who downloaded the applications were unaware they were actually agreeing to receive marketing messages.

"We do not see these things very often," added Gordon. "I saw one ... probably two years ago, but I also know that the IM companies themselves ... have taken steps to help protect their users from spam and various other threats like this."

In addition to illustrating the a need for IM users to be vigilant about the files or links they accept from friends, it also could serve as an indicator for businesses to invest in enterprise-grade IM solutions. For instance, a number of IM gateways on the market could be configured to block the "Osama Found" message from spreading within the workplace.

"The 'Osama Found' adware program is just more evidence of how instant messaging is becoming a critical business communication technology, and a target," said Francis Costello, chief marketing officer at gateway vendor Akonix Systems. "For corporate users of instant messaging, these incidents can have a real cost, disrupting employee productivity, driving IT support costs and impacting customers and business partners."

Christopher Saunders is managing editor of InstantMessagingPlanet.com.

How can your businesses leverage IM without exposing itself to risk? Join us at the Instant Messaging Planet Spring Conference and Expo, March 3 and 4 in Boston. Sessions include: "IM and the Law: Compliance, Privacy and Security" and "HR + IM = Corporate Social Policies for IM Usage."