Your generous donations help keep this site online! Click here to support cexx.org.
 
Advertising Spyware: WNAD.EXE (WinAd Client)

Infection Method
This parasite is installed by downloads from the Twisted Humor website (twistedhumor.com). These executable downloads include games and animations with a .exe extension. The software is also installed with some versions of the now-defunct SwapNut file-sharing software. Finally, there are unconfirmed reports that the parasite is installed by the Viewpoint Media Player. On our test installation, however, we found no evidence of the parasite in the Viewpoint player.
 
Lions' Pride Enterprises is the parent company of TwistedHumor and Rankyou.com, the two parties responsible for the operation of the parasite. Lions' Pride's child companies also produce, of all things, commercial popup-blocking software and have announced a parasite removal software product. I wonder if it will remove WNAD.EXE?

Removal Procedure
WNAD.EXE can be removed by first terminating the program using the Close Program (Ctrl-Alt-Del) dialogue, then deleting the WNAD.EXE and WNAD.DAT files. It is also advised, although not necessary, to delete the program's Registry key in HKEY_LOCAL_MACHINE\Software\Microsfot\Windows\CurrentVersion\Run, or (if using Win98 or higher) use MSCONFIG to remove the entry. If you receive an "in use" error deleting any files, the program is still running--you may have to kill it several times in the Close Program dialogue.

Optionally, you may also wish to remove the software's settings from the Registry; they are located at HKEY_LOCAL_MACHINE/Software/Wnad .

More Information

Rankyou.com is an online advertising company heavily promoting a hostile advertising technology called "Eyegrab". According to the Web site:

"...EyeGrab allows the advertiser to combine both of these marketing cornerstones [branding and ad-consumer interaction] into the ultimate advertising weapon. Burn your brand's image into the minds of the consumers as you collect personal information, gauge preferences, and make a customer for life. "
"Eyegrab" includes such things as enormous scripted Flash ads that attach to the current browser window, covering the Web page, and won't go away until clicked on [Sample]. "BrowserGrab" may be a more appropriate name for this ad scheme. Rankyou also boasts the ability for companies to "purchase a targeted consumer" and his/her personal information.
 

The wnad.exe software takes over the Web browser to display annoying pop-up ads on a timer. While TwistedHumor has previously claimed that the purpose of the software is to raise money for the American Red Cross, the suspicious activities associated with the software tend to cast distrust on these claims.
 
Rankyou.com / Lions' Pride Enterprises also harvests email addresses from Web sites to send spam advertising its services. This message was recently received at a cexx.org address. (They apparently are not familiar with us...yet :)

[Update 11/9/02: Someone over there is now familiar with us. My inbox begins to overflow with various spamhaus signups addressed to "Big Dork" (Sample) courtesy of...wait for it...Rankyou.com. How mature. Luckily, this makes them very easy to filter out.]
 
[Update 12/28/02: It appears we can also add Verisign certificate forgery to Lions Pride's various offenses.]

Software Behaviour
Upon installing a TwistedHumor download, the installer writes the following other files in addition to the game/animation program:

It then adds a registry key in HKEY_LOCAL_MACHINE\Software\Microsfot\Windows\CurrentVersion\Run so that wnad.exe is executed every time the computer is started. The software creates and transmits a GUID.

Upon successful install, wnad.exe initiates a connection to www.twistedhumor1.com that appears to be a sort of "registration" for the program via SSL:
https://www.twistedhumor1.com/addorder.asp?a=0.02&c=1033145308-548335&b=confirm

The server appears to be misconfigured and returning an error-message in response to this registration request, regardless of the client key.
 
As directed by its controlling servers, the software may enter a 'sleep mode' for at least ten days after its initial installation. During this sleep mode, it will 'lay low' by not displaying ads.

During normal operation, the program will contact Web sites including, but not limited to, the following for the purpose of downloading advertising for display, and for obtaining configuration/display instructions:
www.rankyou.com
www.twistedhumor.com
www.srv2cpt.com

The wnad.exe program is coded to detect Web browsers installed on your system, most likely to coordinate the opening of new popups with Web browser activity. The version we examined looks for iexplore.exe (Internet Explorer), netscape.exe (Netscape Navigator), and AOL.exe (AOL browser/software). The path to each program is taken from the Registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

The program may also attempt to alter the Registry's "Open" command for the browser so that it loads a page of advertising when opened.
 
 

Up (Adware)
HomeE-mailCopyrights and Disclaimers

 



"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)