Your
generous donations help keep this site online!
|
Infection Method
This
parasite is installed by downloads from the Twisted Humor website (twistedhumor.com).
These executable downloads include games and animations with a .exe extension.
The software is also installed with some versions of the now-defunct SwapNut
file-sharing software. Finally, there are unconfirmed reports that the parasite
is installed by the Viewpoint Media Player. On our test installation, however,
we found no evidence of the parasite in the Viewpoint player.
Lions' Pride Enterprises
is the parent company of TwistedHumor and Rankyou.com, the two parties responsible
for the operation of the parasite. Lions' Pride's child companies also produce,
of all things, commercial popup-blocking software and have announced a parasite
removal software product. I wonder if it will remove WNAD.EXE?
Removal Procedure
WNAD.EXE can be removed
by first terminating the program using the Close Program (Ctrl-Alt-Del)
dialogue, then deleting the WNAD.EXE and WNAD.DAT files. It is also advised,
although not necessary, to delete the program's
Registry key in HKEY_LOCAL_MACHINE\Software\Microsfot\Windows\CurrentVersion\Run,
or (if using Win98 or higher) use MSCONFIG to remove the entry. If you
receive an "in use" error deleting any files, the program is still running--you
may have to kill it several times in the Close Program dialogue.
Optionally, you may also wish to remove the software's settings from the Registry; they are located at HKEY_LOCAL_MACHINE/Software/Wnad .
More Information
Rankyou.com
is an online advertising company heavily promoting a hostile advertising
technology called "Eyegrab". According to the Web site:
"...EyeGrab allows the advertiser to combine both of these marketing cornerstones [branding and ad-consumer interaction] into the ultimate advertising weapon. Burn your brand's image into the minds of the consumers as you collect personal information, gauge preferences, and make a customer for life. ""Eyegrab" includes such things as enormous scripted Flash ads that attach to the current browser window, covering the Web page, and won't go away until clicked on
The wnad.exe software takes
over the Web browser to display annoying pop-up ads on a timer. While TwistedHumor
has previously claimed that the purpose of the software is to raise money
for the American Red Cross, the suspicious activities associated with the
software tend to cast distrust on these claims.
Rankyou.com / Lions' Pride Enterprises also harvests email addresses from Web sites to send spam advertising its services. This message was recently received at a cexx.org address. (They apparently are not familiar with us...yet :)
[Update 11/9/02: Someone
over there is now familiar with us. My inbox begins to overflow with various
spamhaus signups addressed to "Big Dork" (Sample) courtesy of...wait for it...Rankyou.com. How mature. Luckily, this makes them very easy to filter out.]
[Update 12/28/02: It appears we can also add Verisign certificate forgery to Lions Pride's various offenses.]
Software Behaviour
Upon installing a TwistedHumor download, the installer writes the following other
files in addition to the game/animation program:
Upon successful install,
wnad.exe initiates a connection to www.twistedhumor1.com that appears to
be a sort of "registration" for the program via SSL:
https://www.twistedhumor1.com/addorder.asp?a=0.02&c=1033145308-548335&b=confirm
The server appears to be
misconfigured and returning an error-message in response to this registration
request, regardless of the client key.
As directed by its controlling servers, the software may enter a 'sleep mode'
for at least ten days after its initial installation. During this sleep mode,
it will 'lay low' by not displaying ads.
During normal operation,
the program will contact Web sites including, but not limited to, the following
for the purpose of downloading advertising for display, and for obtaining
configuration/display instructions:
www.rankyou.com
www.twistedhumor.com
www.srv2cpt.com
The wnad.exe program is coded
to detect Web browsers installed on your system, most likely to coordinate
the opening of new popups with Web browser activity. The version we examined
looks for iexplore.exe (Internet Explorer), netscape.exe (Netscape Navigator),
and AOL.exe (AOL browser/software). The path to each program is taken from
the Registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
The program may also attempt
to alter the Registry's "Open" command for the browser so that it loads a
page of advertising when opened.