Sign in to follow this  
Followers 0
FthrJACK

twisted humor.com infect you with TROJANS!!

24 posts in this topic

righto.. for the past few weeks ive been thinking this and finally myself and chris found out the answer last night...

id recommend to anyone who has visited and downloaded from twistedhumor.com, go to c:WINDOWS and look for a file called wnad.exe and wnad.dat

there may be other components too (obviously its in the registry too)

this is a [b:2242809db2]TROJAN[/b:2242809db2] luckily i blocked it access to the net.. but on a few occasions my firewalls been down, it would explain why my ctrl alt del window is messed up and a few other things.. now i have to format again as theres enough damage done to warrant it.

this is the same trojan that chris has had and how his pc was broken into before, norton will not repair the file, and cant wipe it, you might be able to shut it off in ctrl alt del > services menu or boot in safe mode and kill it. norton hasnt found it on my pc in any scans... it wasnt till chris asked me about it and i opened the WINDOWS directory that norton went off when i highlighted the file.. until that piint it didnt make a peep, got updates today and we both found this file.. anyone else??

[b:2242809db2]BE WARNED[/b:2242809db2]

we are not responsible if you have problems with removing this or of any effects caused by attampting DO SO AT YOUR OWN RISK!!

0

Share this post


Link to post
Share on other sites

Yes I could never figure it out but tonight I updated Norton and and as soon as that happen it caught the dam thing. How to remove....Reboot into safe mode, go to the directory and delete both the .exe file and the .dat file. After I did that I re ran norton and The cleaner. Everything is ok now, If you know someone that has XP and any tweaked version tell them ASAP...This is a back door trojan.

-Chris

0

Share this post


Link to post
Share on other sites

I used the Eval Cd and upgraded it to the Corp CD using the Devils own kit and I dont have wnad.exe or dat on my system.Unless the system really hides it I couldn't find it.

Ben

0

Share this post


Link to post
Share on other sites

no. not everyne will have this but i expect a lot of people do!

0

Share this post


Link to post
Share on other sites

True, but we need to try and determine if this virus is in just the premade ISO, the upgrade kit, or something else if possible. Especially since we all kknow how many people wanted and eagerly downloaded this copy of XP.

Ben

0

Share this post


Link to post
Share on other sites

yeah, working on it, but i think it came with the ISO, although not all devils0wn ISO's may have it... anyone just domne a clean install of devil0wn? any help and info from you all would be great, lets try nail this down.

0

Share this post


Link to post
Share on other sites

I was asking in a channel on IRC amongst friends about this. Most of them dont have it. However I am sure they didn't get the origional ISO either. Most used the kits or got repacks that were offered as devilsowns Corp CD. Anyone else find it?

Ben

0

Share this post


Link to post
Share on other sites

I've been running a clean install of devilsown since the second week it after it was RTM with Norton Antivirus 2002 and Tiny Personal Firewall. I don't have either one of those on my system, and haven't gotten any trojans or virii.

I update NAV regularly and ran The Cleaner after XPerties recent problems and nothing was found by either program.

I think you guys are just sharing files with the [b:e3d1f46de1]wrong[/b:e3d1f46de1] people. Might also explain the [cheaters] file some of you are finding on your system. If you're getting a virus or trojan than modified ISO images or something.

I DON'T think this is a devils0wn issue, unless somebody hacked your copy before you downloaded it.

Size of my ISO: 512,342,016 (yours [b:e3d1f46de1]should[/b:e3d1f46de1] be the same?)

Size on disk: 512,344,064 (maybe different?)

0

Share this post


Link to post
Share on other sites

Another option would be runn a crc against your origional ISO you have. It will not match the know key for the MS corp CD.

Ben

0

Share this post


Link to post
Share on other sites

By default Windows XP doesn't set a password for users created during setup and put them all in the Administrator group. Unless you've set a good password and/or removed them from the Administrator's group then you're asking for trouble.

Any dumb script kiddie can scan you system for usernames, open shares, Remote Desktop service, etc. If you don't set a password and leave these users in Administrator group then they can easily copy whatever they want to your system.

By default all the harddrives have a secret share of C$, D$, etc.. in addition to IPC$. I've disabled mine (registry edit in my Tweaks thread sticky post).

If you don't believe me:

Right click "My Computer" -> Manage -> Shared Folders -> Shares.

0

Share this post


Link to post
Share on other sites

I too have wnad.exe, and have studied it and have one single question to ask:

Did the people who have this visit ht*p://www.twistedhumor.com and check out the 'Yo Mama Osama' game that's been posted there, and linked to by some major sites? I did, and I think thats where this came from. Here's why:

I've gone through the binary, and after only looking at it for about 5 minutes, I've discovered some things.

1) It appears to *NOT* be a trojan, despite what norton says, but simple a program that launches popups, at an interval depending on how much your transfering. At least thats what it APPEARS to do, Im not an expert that works at SARC, but I am a programmer :)

2) It appears to popup an ad from: ht*p://www.twistedhumor.com/cgi-bin/redneck/redneck_show_popup.cgi?test_popup=1&company_name=SwapNutSoftware which appears to simply give a URL for it to connect to.

3) This has the ability to update its software, How I do not know yet

4) Other URL's that are hard coded into this binary:

ht*p://www.rankyou.com/wnad/

ht*p://www.srv2cpt.com/ad/

5) The name alone, wnAD, further makes me feel this is simply a VERY god awful and intrusive way of advertising.

I visited that site, and killed Osama, and now examining it, I truly believe that is where this originated.

Ah, I think it checks for updates from ht*p://www.rankyou.com/wnad/wnad.php and if theres a newer version, it uses ht*p://www.rankyou.com/wnad/wnad-update.exe, there is a wnad.exe there as well, but no wnad-update yet.

Someone want to compare these results? Like I said, I dont work for SARC :rolleyes:

I will post more when I find out more....

--

XxMaNsOnX

Do not post active links on the forums....Edited by Mod[/color:5660f4cede]

0

Share this post


Link to post
Share on other sites

My God I think you fugured it out.[/size:24e804caf5]

I have been to this website and Im preety sure that FthrJACK was to. Im postitive that my girlfriends father also went to this site (He also found it on his system)....So Now I feel that something should be done about this. This if in fact turns out to be true is a invasion of our privacy.

One major question why would Nortan pick up on it but your statement leans towrds it not being a virus. You education expressed here is greatly appreciated...Ill be waiting to see what else you come up with.

-Chris

PS. I wounder if it some sort of terriost attack?! :mad:

0

Share this post


Link to post
Share on other sites

Okay, Sorry about the links, I dont post here much, In fact, my first time.

Here's a simple way to just get rid of it:

First, Turn off Norton, as it wont let you run it. then, run wnad.exe /quit

Then you'll be allowed to delete it and what not, then remove it from running in the registry, its stored at:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun and just delete the WNAD key.

That's all it does to the registry, again, that I know of.

Other options that wnad will take (for those interested):

/log=on

/log=off

/use

/install

/quit

It also will not show any popups for 72 hours after it's been installed, I guess to prevent you from realizing how you got it.

I really don't think it's a trojan in any way. So I just want to make sure, If you have it, did you check out twistedhumor? If not, then I dont know.

Just remember that it autoupdates itself, so this could all change.

If it is in fact originating from that game, (which I felt cautious trying anyway, I dislike ActiveX, and now I remember why :)) then twistedhumour is twisted indeed. Doubtful its a terrorist attack though, unless of course you consider evil money grubbing corporations terrorists :rolleyes:

[b:6e3674edd5]AHA! PROOF![/b:6e3674edd5][/size:6e3674edd5]

Okay. Definate proof now. I just tried to reinstall the game to see if this was the cause. Sure enough, before installing it, I read the EULA. This is what it says:

The Osama Software includes added software and technology which allows Lions Pride Enterprises, Inc. to provide advertising content.

And:

TWISTEDHUMOR.COM DOES NOT WARRANT THAT THE OSAMA SOFTWARE, THE TWISTEDHUMOR.COM SERVERS, OR E-MAIL SENT FROM TWISTEDHUMOR.COM ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

So there we have it, Then after accepting the EULA, sure enough, Norton popped up with it's warning. Now, the EULA says they aren't respnsible, but I'm sure the law says another, class action anybody? I'll leave that to the lawyers :cool:

--

XxMaNsOnX

0

Share this post


Link to post
Share on other sites

Well with your information Ive conntacted Twisted humore web servers and notified them of what was going on. There going to (supposely) Take care of it....lol....Ya right. Your help was Highly appreciated!

-Chris

0

Share this post


Link to post
Share on other sites

yes.. before i read your posts (forum has been dead, too busy i think) id traced it back to them via netstat and arin.... so weve rung up the ISP and tried to get hold of them too but all their phones are dead.

did you check wnad.dat? i didnt get round to hex editing it so i havent found exactly what it does... but you obviously beat me to it, nice work mate, and about time you posted LOL

welcome to the forums :beer

0

Share this post


Link to post
Share on other sites

Are they in the US? If so then thank god for the Super Broad DCMA...

0

Share this post


Link to post
Share on other sites

Registrant:

TwistedHumor.com (TWISTEDHUMOR-DOM)

7770 regents Road Suite 113-413

San Diego, CA 92122

US

Domain Name: TWISTEDHUMOR.COM

Administrative Contact:

Coats, M (MCP429) ads@TWISTEDHUMOR.COM

Lions Pride Enterprises, Inc.

7770 Regents Rd #113-413

San Diego , CA 92122

858-271-8650 (FAX) 858-566-3911

Technical Contact:

Kukuruzovic, Vladimir (KV338-ORG) noc@TWISTEDHUMOR.COM

Twistedhumor

Lions Pride Enterprises, Inc.

7770 Regents Rd #113-413

San Diego, CA 92122

USA

858-271-8650

Fax- 858-566-3911

Billing Contact:

Coats, M (MC20525) questions@TWISTEDHUMOR.COM

Lions Pride Enterpises, Inc.

7770 regents Road Suite 113-413

San Diego, CA 92122

619-458-3695 (FAX) 619-458-3695

Record last updated on 03-Jul-2001.

Record expires on 30-Jun-2003.

Record created on 30-Jun-1999.

Database last updated on 25-Oct-2001 11:27:00 EDT.

Domain servers in listed order:

SERVER8.TWISTEDHUMOR.COM 64.37.103.98

SERVER9.TWISTEDHUMOR.COM 64.37.114.66

ISP is ht*p://www.cybercon.com

0

Share this post


Link to post
Share on other sites

Anyone who has found this on there PC may send a complaint to the manager at cybercon....E-mail your complant and what you found to dave@cybercon.com Make sure you explain we the people of the internet wont stand for this!

-Chris:D

0

Share this post


Link to post
Share on other sites

www.rankyou.com

www.srv2cpt.com

and twisted humor all have the same isp.

and are in the same city. hmmm...

0

Share this post


Link to post
Share on other sites

ok no response by cybercon to stop this spreading, so i emailed this today, if nothing is done after this ill get in touch with a few places such as symantec and see what they say should be done and report it to the authorities. here what i emailed dave@cybercon.com

[i:121b6c0689]

Dear sir

Im writting to you after being infected with a Trojan horse program and key logging programs contained in a file i downloaded from twistedhumor.com hosted on your web servers.

I find it disgusting that these people are taking advantage of peoples feelings after the attrocaties on September the 11th, in order to infect people with a stealth Trojan and then extract personal information of all kinds from them and submit them to endless pop up advertisements.

As the creators of this site and the Trojan horse file will not stop their illegal activities i would like to formally request that this site be closed down imediatley ( subject to your legal obligation) in order to prevent the spread of this virus and to stop the perpetrators collecting anymore personal information on any of its victims.

The site is being monitored and a group of victims is currently spreading the word of this site and the security risk envolved. We feel let down by the fact that to date the site is still operational and that no action seems to have been taken by cybercon.com in order to stop this activity, we feel that if Microsoft where to contact you over a warez site or site offering serial keys etc you would not fail in your legal obligation to shut the site down imediately.

Please can you ensure that action is taken.[/i:121b6c0689]

0

Share this post


Link to post
Share on other sites

and still no action... SO.. i emailed them again of course! :)

[i:778e1ea04b]Sure:

the file is called wnad.exe

it sits in your PC ( on win2k its found in WINNT, on XP its WINDOWS )

and waits 72hours, presumably so that you dont know where you got the infection, scanning the Pc with a Trojan scanner turned up Keyloggers on a few machines, presumably the intention is that you play the game, then donate money to the red cross, using of course your credit card, this information is then sent back at some point, this keylogger issue isnt something im certain of, howver i AM certain that this Trojan is designed to be as difficult as possible to delete, even Norton couldnt wipe it, it took safe mode on one PC of a friends to kill it off, i have found that at the command line if you type

C:WINDOWSwnad.exe /quit

you can normally then wipe the file off as well as its companion wnad.dat.

After 72hours the program also starts making pop up advertisements appear on your machine, infuriatingly often.

After receieving complaints about twistedhumor.com from people in America, and the UK, both by email and telephone, (i called your company and got an unhelpfull response, a friend in PA spoke to yourelf) i would have thought this site would be closed by now, especially with the oportunistic way this is exploiting the feelings of people since September 11th.

i wonder how many people are now infected and are not at a PC user level where they have the abbility to track down and remove this piece of evil? i know of a few, i have removed the files from thier machines myself, how many are still infected? how many possibly had credit card information stolen due to cybercon.coms lack of response to date? please remove this site!!

as i stated before, if microsoft or another large comapny emailed yourselves complaining the site would be closed within the hour. do the 50 or so people on our group who we have found so far have to report this to the FBI, the Red Cross, syamantec, mcaffee, and any internet governing body you may have in the USA before cybercon takes action and stops supporting the blatant illegal activity of this site? i hope not, it is a shame that so far nothing has been done other than promises of action over the phone or via email, and yet no action taken.

Please respond to this issue ASAP.[/i:778e1ea04b]

And you can find dave at:

Dave Tscharner

SMC Team Leader

h*tp://www.cybercon.com

h*tp://www.bestnet.net

email: dave@cybercon.com

ph: 314.621.9991

fax: 314.241.1777

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

C y b e r c o n, I n c. (cybercon.com)

A Hyson International Company (hyson.com)

World-Class Internet Hosting Center

210 North Tucker Boulevard, 7th Floor

Saint Louis, Missouri 63101-1978

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

0

Share this post


Link to post
Share on other sites

Now they gone and done it...

i posted this today:

[i:83d62be039]

Dear sir/madam

After repeated contact with staff and management at your company, and repeated stalling and excuses, i would like to inform you that unless action against twistedhumor.com is taken in the next 7 working days i will be seeking legal advice regards cybercon.com and twistedhumor.com for the distribution of mailcious code

( see: viri, trojan horse program, remote access tools etc)

contrary to American law and internet codes of practice.

Please do not ignore this letter.[/i:83d62be039]

0

Share this post


Link to post
Share on other sites

Why don't we just DDOS them with twisted humor of our own? Truth is, they could care less and the ISP will get no more than a slap on the wrist at best.

Rick:mad:

0

Share this post


Link to post
Share on other sites

Why don't we just DDOS them with twisted humor of our own? [/quote:14615f17a1]

EH? um.. we could attack them tho i suppose, but then, yu betcha they will do all they can to trace us and sue [b:14615f17a1]our[/b:14615f17a1] asses!

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.