Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

twisted humor.com infect you with TROJANS!!


  • Please log in to reply
23 replies to this topic

#1
FthrJACK

FthrJACK

    I am a PC...

  • Patrons
  • 3,394 posts
  • Joined 16-August 01
  • OS:Server 2008 x64
righto.. for the past few weeks ive been thinking this and finally myself and chris found out the answer last night...
id recommend to anyone who has visited and downloaded from twistedhumor.com, go to c:WINDOWS and look for a file called wnad.exe and wnad.dat
there may be other components too (obviously its in the registry too)
this is a [b:2242809db2]TROJAN[/b:2242809db2] luckily i blocked it access to the net.. but on a few occasions my firewalls been down, it would explain why my ctrl alt del window is messed up and a few other things.. now i have to format again as theres enough damage done to warrant it.
this is the same trojan that chris has had and how his pc was broken into before, norton will not repair the file, and cant wipe it, you might be able to shut it off in ctrl alt del > services menu or boot in safe mode and kill it. norton hasnt found it on my pc in any scans... it wasnt till chris asked me about it and i opened the WINDOWS directory that norton went off when i highlighted the file.. until that piint it didnt make a peep, got updates today and we both found this file.. anyone else??

[b:2242809db2]BE WARNED[/b:2242809db2]
we are not responsible if you have problems with removing this or of any effects caused by attampting DO SO AT YOUR OWN RISK!!


How to remove advertisement from MSFN

#2
XPerties

XPerties

    MSFN OG Senior

  • Patrons
  • 2,994 posts
  • Joined 18-August 01
  • OS:Windows 7 x64
  • Country: Country Flag
Yes I could never figure it out but tonight I updated Norton and and as soon as that happen it caught the dam thing. How to remove....Reboot into safe mode, go to the directory and delete both the .exe file and the .dat file. After I did that I re ran norton and The cleaner. Everything is ok now, If you know someone that has XP and any tweaked version tell them ASAP...This is a back door trojan.


-Chris



You want some Glock with that?
★ :::: Xbox Live GamerTag = ScreamingSkulls


#3
Benholio

Benholio
  • Member
  • 7 posts
  • Joined 21-August 01
I used the Eval Cd and upgraded it to the Corp CD using the Devils own kit and I dont have wnad.exe or dat on my system.Unless the system really hides it I couldn't find it.

Ben

#4
FthrJACK

FthrJACK

    I am a PC...

  • Patrons
  • 3,394 posts
  • Joined 16-August 01
  • OS:Server 2008 x64
no. not everyne will have this but i expect a lot of people do!

#5
Benholio

Benholio
  • Member
  • 7 posts
  • Joined 21-August 01
True, but we need to try and determine if this virus is in just the premade ISO, the upgrade kit, or something else if possible. Especially since we all kknow how many people wanted and eagerly downloaded this copy of XP.

Ben

#6
FthrJACK

FthrJACK

    I am a PC...

  • Patrons
  • 3,394 posts
  • Joined 16-August 01
  • OS:Server 2008 x64
yeah, working on it, but i think it came with the ISO, although not all devils0wn ISO's may have it... anyone just domne a clean install of devil0wn? any help and info from you all would be great, lets try nail this down.

#7
Benholio

Benholio
  • Member
  • 7 posts
  • Joined 21-August 01
I was asking in a channel on IRC amongst friends about this. Most of them dont have it. However I am sure they didn't get the origional ISO either. Most used the kits or got repacks that were offered as devilsowns Corp CD. Anyone else find it?

Ben

#8
Guest_LouCypher_*

Guest_LouCypher_*
  • Guests
  • Joined --
I've been running a clean install of devilsown since the second week it after it was RTM with Norton Antivirus 2002 and Tiny Personal Firewall. I don't have either one of those on my system, and haven't gotten any trojans or virii.

I update NAV regularly and ran The Cleaner after XPerties recent problems and nothing was found by either program.

I think you guys are just sharing files with the [b:e3d1f46de1]wrong[/b:e3d1f46de1] people. Might also explain the [cheaters] file some of you are finding on your system. If you're getting a virus or trojan than modified ISO images or something.

I DON'T think this is a devils0wn issue, unless somebody hacked your copy before you downloaded it.

Size of my ISO: 512,342,016 (yours [b:e3d1f46de1]should[/b:e3d1f46de1] be the same?)
Size on disk: 512,344,064 (maybe different?)

#9
Benholio

Benholio
  • Member
  • 7 posts
  • Joined 21-August 01
Another option would be runn a crc against your origional ISO you have. It will not match the know key for the MS corp CD.

Ben

#10
Guest_LouCypher_*

Guest_LouCypher_*
  • Guests
  • Joined --
By default Windows XP doesn't set a password for users created during setup and put them all in the Administrator group. Unless you've set a good password and/or removed them from the Administrator's group then you're asking for trouble.

Any dumb script kiddie can scan you system for usernames, open shares, Remote Desktop service, etc. If you don't set a password and leave these users in Administrator group then they can easily copy whatever they want to your system.

By default all the harddrives have a secret share of C$, D$, etc.. in addition to IPC$. I've disabled mine (registry edit in my Tweaks thread sticky post).

If you don't believe me:

Right click "My Computer" -> Manage -> Shared Folders -> Shares.

#11
XxMaNsOnX

XxMaNsOnX

    Newbie

  • Member
  • 42 posts
  • Joined 24-August 01
I too have wnad.exe, and have studied it and have one single question to ask:
Did the people who have this visit ht*p://www.twistedhumor.com and check out the 'Yo Mama Osama' game that's been posted there, and linked to by some major sites? I did, and I think thats where this came from. Here's why:

I've gone through the binary, and after only looking at it for about 5 minutes, I've discovered some things.

1) It appears to *NOT* be a trojan, despite what norton says, but simple a program that launches popups, at an interval depending on how much your transfering. At least thats what it APPEARS to do, Im not an expert that works at SARC, but I am a programmer :)

2) It appears to popup an ad from: ht*p://www.twistedhumor.com/cgi-bin/redneck/redneck_show_popup.cgi?test_popup=1&company_name=SwapNutSoftware which appears to simply give a URL for it to connect to.

3) This has the ability to update its software, How I do not know yet

4) Other URL's that are hard coded into this binary:
ht*p://www.rankyou.com/wnad/
ht*p://www.srv2cpt.com/ad/

5) The name alone, wnAD, further makes me feel this is simply a VERY god awful and intrusive way of advertising.

I visited that site, and killed Osama, and now examining it, I truly believe that is where this originated.

Ah, I think it checks for updates from ht*p://www.rankyou.com/wnad/wnad.php and if theres a newer version, it uses ht*p://www.rankyou.com/wnad/wnad-update.exe, there is a wnad.exe there as well, but no wnad-update yet.

Someone want to compare these results? Like I said, I dont work for SARC :rolleyes:

I will post more when I find out more....

--
XxMaNsOnX




[color=red:5660f4cede]Do not post active links on the forums....Edited by Mod[/color:5660f4cede]

#12
XPerties

XPerties

    MSFN OG Senior

  • Patrons
  • 2,994 posts
  • Joined 18-August 01
  • OS:Windows 7 x64
  • Country: Country Flag
[size=24:24e804caf5]My God I think you fugured it out.[/size:24e804caf5]

I have been to this website and Im preety sure that FthrJACK was to. Im postitive that my girlfriends father also went to this site (He also found it on his system)....So Now I feel that something should be done about this. This if in fact turns out to be true is a invasion of our privacy.

One major question why would Nortan pick up on it but your statement leans towrds it not being a virus. You education expressed here is greatly appreciated...Ill be waiting to see what else you come up with.


-Chris


PS. I wounder if it some sort of terriost attack?! :mad:



You want some Glock with that?
★ :::: Xbox Live GamerTag = ScreamingSkulls


#13
XxMaNsOnX

XxMaNsOnX

    Newbie

  • Member
  • 42 posts
  • Joined 24-August 01
Okay, Sorry about the links, I dont post here much, In fact, my first time.

Here's a simple way to just get rid of it:
First, Turn off Norton, as it wont let you run it. then, run wnad.exe /quit

Then you'll be allowed to delete it and what not, then remove it from running in the registry, its stored at:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun and just delete the WNAD key.

That's all it does to the registry, again, that I know of.

Other options that wnad will take (for those interested):
/log=on
/log=off
/use
/install
/quit

It also will not show any popups for 72 hours after it's been installed, I guess to prevent you from realizing how you got it.
I really don't think it's a trojan in any way. So I just want to make sure, If you have it, did you check out twistedhumor? If not, then I dont know.

Just remember that it autoupdates itself, so this could all change.

If it is in fact originating from that game, (which I felt cautious trying anyway, I dislike ActiveX, and now I remember why :)) then twistedhumour is twisted indeed. Doubtful its a terrorist attack though, unless of course you consider evil money grubbing corporations terrorists :rolleyes:

[size=24:6e3674edd5][b:6e3674edd5]AHA! PROOF![/b:6e3674edd5][/size:6e3674edd5]
Okay. Definate proof now. I just tried to reinstall the game to see if this was the cause. Sure enough, before installing it, I read the EULA. This is what it says:
The Osama Software includes added software and technology which allows Lions Pride Enterprises, Inc. to provide advertising content.

And:
TWISTEDHUMOR.COM DOES NOT WARRANT THAT THE OSAMA SOFTWARE, THE TWISTEDHUMOR.COM SERVERS, OR E-MAIL SENT FROM TWISTEDHUMOR.COM ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

So there we have it, Then after accepting the EULA, sure enough, Norton popped up with it's warning. Now, the EULA says they aren't respnsible, but I'm sure the law says another, class action anybody? I'll leave that to the lawyers :cool:

--
XxMaNsOnX

#14
XPerties

XPerties

    MSFN OG Senior

  • Patrons
  • 2,994 posts
  • Joined 18-August 01
  • OS:Windows 7 x64
  • Country: Country Flag
Well with your information Ive conntacted Twisted humore web servers and notified them of what was going on. There going to (supposely) Take care of it....lol....Ya right. Your help was Highly appreciated!


-Chris



You want some Glock with that?
★ :::: Xbox Live GamerTag = ScreamingSkulls


#15
FthrJACK

FthrJACK

    I am a PC...

  • Patrons
  • 3,394 posts
  • Joined 16-August 01
  • OS:Server 2008 x64
yes.. before i read your posts (forum has been dead, too busy i think) id traced it back to them via netstat and arin.... so weve rung up the ISP and tried to get hold of them too but all their phones are dead.

did you check wnad.dat? i didnt get round to hex editing it so i havent found exactly what it does... but you obviously beat me to it, nice work mate, and about time you posted LOL

welcome to the forums :beer

#16
Benholio

Benholio
  • Member
  • 7 posts
  • Joined 21-August 01
Are they in the US? If so then thank god for the Super Broad DCMA...

#17
FthrJACK

FthrJACK

    I am a PC...

  • Patrons
  • 3,394 posts
  • Joined 16-August 01
  • OS:Server 2008 x64
Registrant:
TwistedHumor.com (TWISTEDHUMOR-DOM)
7770 regents Road Suite 113-413
San Diego, CA 92122
US

Domain Name: TWISTEDHUMOR.COM

Administrative Contact:
Coats, M (MCP429) ads@TWISTEDHUMOR.COM
Lions Pride Enterprises, Inc.
7770 Regents Rd #113-413
San Diego , CA 92122
858-271-8650 (FAX) 858-566-3911
Technical Contact:
Kukuruzovic, Vladimir (KV338-ORG) noc@TWISTEDHUMOR.COM
Twistedhumor
Lions Pride Enterprises, Inc.
7770 Regents Rd #113-413
San Diego, CA 92122
USA
858-271-8650
Fax- 858-566-3911
Billing Contact:
Coats, M (MC20525) questions@TWISTEDHUMOR.COM
Lions Pride Enterpises, Inc.
7770 regents Road Suite 113-413
San Diego, CA 92122
619-458-3695 (FAX) 619-458-3695

Record last updated on 03-Jul-2001.
Record expires on 30-Jun-2003.
Record created on 30-Jun-1999.
Database last updated on 25-Oct-2001 11:27:00 EDT.

Domain servers in listed order:

SERVER8.TWISTEDHUMOR.COM 64.37.103.98
SERVER9.TWISTEDHUMOR.COM 64.37.114.66



ISP is ht*p://www.cybercon.com

#18
XPerties

XPerties

    MSFN OG Senior

  • Patrons
  • 2,994 posts
  • Joined 18-August 01
  • OS:Windows 7 x64
  • Country: Country Flag
Anyone who has found this on there PC may send a complaint to the manager at cybercon....E-mail your complant and what you found to dave@cybercon.com Make sure you explain we the people of the internet wont stand for this!


-Chris:D



You want some Glock with that?
★ :::: Xbox Live GamerTag = ScreamingSkulls


#19
Micropocalypse

Micropocalypse

    Advanced Member

  • Member
  • PipPipPip
  • 306 posts
  • Joined 07-September 01
www.rankyou.com
www.srv2cpt.com
and twisted humor all have the same isp.
and are in the same city. hmmm...
Posted Image
Read The Forum Rules

"Stop worrying about life on other planets, you haven't got one here."
Will this endless endlessness never end?

[I am a .sig virus. Please put me in your .sig so I can continue to replicate.]

#20
FthrJACK

FthrJACK

    I am a PC...

  • Patrons
  • 3,394 posts
  • Joined 16-August 01
  • OS:Server 2008 x64
ok no response by cybercon to stop this spreading, so i emailed this today, if nothing is done after this ill get in touch with a few places such as symantec and see what they say should be done and report it to the authorities. here what i emailed dave@cybercon.com

[i:121b6c0689]
Dear sir

Im writting to you after being infected with a Trojan horse program and key logging programs contained in a file i downloaded from twistedhumor.com hosted on your web servers.

I find it disgusting that these people are taking advantage of peoples feelings after the attrocaties on September the 11th, in order to infect people with a stealth Trojan and then extract personal information of all kinds from them and submit them to endless pop up advertisements.

As the creators of this site and the Trojan horse file will not stop their illegal activities i would like to formally request that this site be closed down imediatley ( subject to your legal obligation) in order to prevent the spread of this virus and to stop the perpetrators collecting anymore personal information on any of its victims.

The site is being monitored and a group of victims is currently spreading the word of this site and the security risk envolved. We feel let down by the fact that to date the site is still operational and that no action seems to have been taken by cybercon.com in order to stop this activity, we feel that if Microsoft where to contact you over a warez site or site offering serial keys etc you would not fail in your legal obligation to shut the site down imediately.

Please can you ensure that action is taken.[/i:121b6c0689]

#21
FthrJACK

FthrJACK

    I am a PC...

  • Patrons
  • 3,394 posts
  • Joined 16-August 01
  • OS:Server 2008 x64
and still no action... SO.. i emailed them again of course! :)


[i:778e1ea04b]Sure:
the file is called wnad.exe
it sits in your PC ( on win2k its found in WINNT, on XP its WINDOWS )
and waits 72hours, presumably so that you dont know where you got the infection, scanning the Pc with a Trojan scanner turned up Keyloggers on a few machines, presumably the intention is that you play the game, then donate money to the red cross, using of course your credit card, this information is then sent back at some point, this keylogger issue isnt something im certain of, howver i AM certain that this Trojan is designed to be as difficult as possible to delete, even Norton couldnt wipe it, it took safe mode on one PC of a friends to kill it off, i have found that at the command line if you type

C:WINDOWSwnad.exe /quit

you can normally then wipe the file off as well as its companion wnad.dat.
After 72hours the program also starts making pop up advertisements appear on your machine, infuriatingly often.
After receieving complaints about twistedhumor.com from people in America, and the UK, both by email and telephone, (i called your company and got an unhelpfull response, a friend in PA spoke to yourelf) i would have thought this site would be closed by now, especially with the oportunistic way this is exploiting the feelings of people since September 11th.

i wonder how many people are now infected and are not at a PC user level where they have the abbility to track down and remove this piece of evil? i know of a few, i have removed the files from thier machines myself, how many are still infected? how many possibly had credit card information stolen due to cybercon.coms lack of response to date? please remove this site!!

as i stated before, if microsoft or another large comapny emailed yourselves complaining the site would be closed within the hour. do the 50 or so people on our group who we have found so far have to report this to the FBI, the Red Cross, syamantec, mcaffee, and any internet governing body you may have in the USA before cybercon takes action and stops supporting the blatant illegal activity of this site? i hope not, it is a shame that so far nothing has been done other than promises of action over the phone or via email, and yet no action taken.
Please respond to this issue ASAP.[/i:778e1ea04b]

And you can find dave at:

Dave Tscharner
SMC Team Leader
h*tp://www.cybercon.com
h*tp://www.bestnet.net
email: dave@cybercon.com
ph: 314.621.9991
fax: 314.241.1777
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
C y b e r c o n, I n c. (cybercon.com)
A Hyson International Company (hyson.com)
World-Class Internet Hosting Center
210 North Tucker Boulevard, 7th Floor
Saint Louis, Missouri 63101-1978
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

#22
FthrJACK

FthrJACK

    I am a PC...

  • Patrons
  • 3,394 posts
  • Joined 16-August 01
  • OS:Server 2008 x64
Now they gone and done it...


i posted this today:


[i:83d62be039]
Dear sir/madam

After repeated contact with staff and management at your company, and repeated stalling and excuses, i would like to inform you that unless action against twistedhumor.com is taken in the next 7 working days i will be seeking legal advice regards cybercon.com and twistedhumor.com for the distribution of mailcious code
( see: viri, trojan horse program, remote access tools etc)
contrary to American law and internet codes of practice.

Please do not ignore this letter.[/i:83d62be039]

#23
Rick

Rick

    Senior Member

  • Member
  • PipPipPipPip
  • 585 posts
  • Joined 18-August 01
Why don't we just DDOS them with twisted humor of our own? Truth is, they could care less and the ISP will get no more than a slap on the wrist at best.

Rick:mad:
Welcome to MSFN!

Read the Forum Rules
Posted Image

#24
FthrJACK

FthrJACK

    I am a PC...

  • Patrons
  • 3,394 posts
  • Joined 16-August 01
  • OS:Server 2008 x64
[quote:14615f17a1="barnettrp"]
Why don't we just DDOS them with twisted humor of our own? [/quote:14615f17a1]


EH? um.. we could attack them tho i suppose, but then, yu betcha they will do all they can to trace us and sue [b:14615f17a1]our[/b:14615f17a1] asses!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users