[FthrJACK]

righto.. for the past few weeks ive been thinking this and finally myself and chris found out the answer last night...
id recommend to anyone who has visited and downloaded from twistedhumor.com, go to c:WINDOWS and look for a file called wnad.exe and wnad.dat
there may be other components too (obviously its in the registry too)
this is a [b:2242809db2]TROJAN[/b:2242809db2] luckily i blocked it access to the net.. but on a few occasions my firewalls been down, it would explain why my ctrl alt del window is messed up and a few other things.. now i have to format again as theres enough damage done to warrant it.
this is the same trojan that chris has had and how his pc was broken into before, norton will not repair the file, and cant wipe it, you might be able to shut it off in ctrl alt del > services menu or boot in safe mode and kill it. norton hasnt found it on my pc in any scans... it wasnt till chris asked me about it and i opened the WINDOWS directory that norton went off when i highlighted the file.. until that piint it didnt make a peep, got updates today and we both found this file.. anyone else??

[b:2242809db2]BE WARNED[/b:2242809db2]
we are not responsible if you have problems with removing this or of any effects caused by attampting DO SO AT YOUR OWN RISK!!

[XPerties]

Yes I could never figure it out but tonight I updated Norton and and as soon as that happen it caught the dam thing. How to remove....Reboot into safe mode, go to the directory and delete both the .exe file and the .dat file. After I did that I re ran norton and The cleaner. Everything is ok now, If you know someone that has XP and any tweaked version tell them ASAP...This is a back door trojan.


-Chris

[Benholio]

I used the Eval Cd and upgraded it to the Corp CD using the Devils own kit and I dont have wnad.exe or dat on my system.Unless the system really hides it I couldn't find it.

Ben

[FthrJACK]

no. not everyne will have this but i expect a lot of people do!

[Benholio]

True, but we need to try and determine if this virus is in just the premade ISO, the upgrade kit, or something else if possible. Especially since we all kknow how many people wanted and eagerly downloaded this copy of XP.

Ben

[FthrJACK]

yeah, working on it, but i think it came with the ISO, although not all devils0wn ISO's may have it... anyone just domne a clean install of devil0wn? any help and info from you all would be great, lets try nail this down.

[Benholio]

I was asking in a channel on IRC amongst friends about this. Most of them dont have it. However I am sure they didn't get the origional ISO either. Most used the kits or got repacks that were offered as devilsowns Corp CD. Anyone else find it?

Ben

[Benholio]

Another option would be runn a crc against your origional ISO you have. It will not match the know key for the MS corp CD.

Ben

[XxMaNsOnX]

I too have wnad.exe, and have studied it and have one single question to ask:
Did the people who have this visit ht*p://www.twistedhumor.com and check out the 'Yo Mama Osama' game that's been posted there, and linked to by some major sites? I did, and I think thats where this came from. Here's why:

I've gone through the binary, and after only looking at it for about 5 minutes, I've discovered some things.

1) It appears to *NOT* be a trojan, despite what norton says, but simple a program that launches popups, at an interval depending on how much your transfering. At least thats what it APPEARS to do, Im not an expert that works at SARC, but I am a programmer

2) It appears to popup an ad from: ht*p://www.twistedhumor.com/cgi-bin/redneck/redneck_show_popup.cgi?test_popup=1&company_name=SwapNutSoftware which appears to simply give a URL for it to connect to.

3) This has the ability to update its software, How I do not know yet

4) Other URL's that are hard coded into this binary:
ht*p://www.rankyou.com/wnad/
ht*p://www.srv2cpt.com/ad/

5) The name alone, wnAD, further makes me feel this is simply a VERY god awful and intrusive way of advertising.

I visited that site, and killed Osama, and now examining it, I truly believe that is where this originated.

Ah, I think it checks for updates from ht*p://www.rankyou.com/wnad/wnad.php and if theres a newer version, it uses ht*p://www.rankyou.com/wnad/wnad-update.exe, there is a wnad.exe there as well, but no wnad-update yet.

Someone want to compare these results? Like I said, I dont work for SARC

I will post more when I find out more....

--
XxMaNsOnX




[color=red:5660f4cede]Do not post active links on the forums....Edited by Mod[/color:5660f4cede]

[XPerties]

[size=24:24e804caf5]My God I think you fugured it out.[/size:24e804caf5]

I have been to this website and Im preety sure that FthrJACK was to. Im postitive that my girlfriends father also went to this site (He also found it on his system)....So Now I feel that something should be done about this. This if in fact turns out to be true is a invasion of our privacy.

One major question why would Nortan pick up on it but your statement leans towrds it not being a virus. You education expressed here is greatly appreciated...Ill be waiting to see what else you come up with.


-Chris


PS. I wounder if it some sort of terriost attack?! :mad:

[XxMaNsOnX]

Okay, Sorry about the links, I dont post here much, In fact, my first time.

Here's a simple way to just get rid of it:
First, Turn off Norton, as it wont let you run it. then, run wnad.exe /quit

Then you'll be allowed to delete it and what not, then remove it from running in the registry, its stored at:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun and just delete the WNAD key.

That's all it does to the registry, again, that I know of.

Other options that wnad will take (for those interested):
/log=on
/log=off
/use
/install
/quit

It also will not show any popups for 72 hours after it's been installed, I guess to prevent you from realizing how you got it.
I really don't think it's a trojan in any way. So I just want to make sure, If you have it, did you check out twistedhumor? If not, then I dont know.

Just remember that it autoupdates itself, so this could all change.

If it is in fact originating from that game, (which I felt cautious trying anyway, I dislike ActiveX, and now I remember why ) then twistedhumour is twisted indeed. Doubtful its a terrorist attack though, unless of course you consider evil money grubbing corporations terrorists

[size=24:6e3674edd5][b:6e3674edd5]AHA! PROOF![/b:6e3674edd5][/size:6e3674edd5]
Okay. Definate proof now. I just tried to reinstall the game to see if this was the cause. Sure enough, before installing it, I read the EULA. This is what it says:
The Osama Software includes added software and technology which allows Lions Pride Enterprises, Inc. to provide advertising content.

And:
TWISTEDHUMOR.COM DOES NOT WARRANT THAT THE OSAMA SOFTWARE, THE TWISTEDHUMOR.COM SERVERS, OR E-MAIL SENT FROM TWISTEDHUMOR.COM ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

So there we have it, Then after accepting the EULA, sure enough, Norton popped up with it's warning. Now, the EULA says they aren't respnsible, but I'm sure the law says another, class action anybody? I'll leave that to the lawyers :cool:

--
XxMaNsOnX

[XPerties]

Well with your information Ive conntacted Twisted humore web servers and notified them of what was going on. There going to (supposely) Take care of it....lol....Ya right. Your help was Highly appreciated!


-Chris

[FthrJACK]

yes.. before i read your posts (forum has been dead, too busy i think) id traced it back to them via netstat and arin.... so weve rung up the ISP and tried to get hold of them too but all their phones are dead.

did you check wnad.dat? i didnt get round to hex editing it so i havent found exactly what it does... but you obviously beat me to it, nice work mate, and about time you posted LOL

welcome to the forums :beer

[Benholio]

Are they in the US? If so then thank god for the Super Broad DCMA...

[FthrJACK]

Registrant:
TwistedHumor.com (TWISTEDHUMOR-DOM)
7770 regents Road Suite 113-413
San Diego, CA 92122
US

Domain Name: TWISTEDHUMOR.COM

Administrative Contact:
Coats, M (MCP429) ads@TWISTEDHUMOR.COM
Lions Pride Enterprises, Inc.
7770 Regents Rd #113-413
San Diego , CA 92122
858-271-8650 (FAX) 858-566-3911
Technical Contact:
Kukuruzovic, Vladimir (KV338-ORG) noc@TWISTEDHUMOR.COM
Twistedhumor
Lions Pride Enterprises, Inc.
7770 Regents Rd #113-413
San Diego, CA 92122
USA
858-271-8650
Fax- 858-566-3911
Billing Contact:
Coats, M (MC20525) questions@TWISTEDHUMOR.COM
Lions Pride Enterpises, Inc.
7770 regents Road Suite 113-413
San Diego, CA 92122
619-458-3695 (FAX) 619-458-3695

Record last updated on 03-Jul-2001.
Record expires on 30-Jun-2003.
Record created on 30-Jun-1999.
Database last updated on 25-Oct-2001 11:27:00 EDT.

Domain servers in listed order:

SERVER8.TWISTEDHUMOR.COM 64.37.103.98
SERVER9.TWISTEDHUMOR.COM 64.37.114.66



ISP is ht*p://www.cybercon.com

[XPerties]

Anyone who has found this on there PC may send a complaint to the manager at cybercon....E-mail your complant and what you found to dave@cybercon.com Make sure you explain we the people of the internet wont stand for this!


-Chris:D

[Micropocalypse]

www.rankyou.com
www.srv2cpt.com
and twisted humor all have the same isp.
and are in the same city. hmmm...

[FthrJACK]

ok no response by cybercon to stop this spreading, so i emailed this today, if nothing is done after this ill get in touch with a few places such as symantec and see what they say should be done and report it to the authorities. here what i emailed dave@cybercon.com

[i:121b6c0689]
Dear sir

Im writting to you after being infected with a Trojan horse program and key logging programs contained in a file i downloaded from twistedhumor.com hosted on your web servers.

I find it disgusting that these people are taking advantage of peoples feelings after the attrocaties on September the 11th, in order to infect people with a stealth Trojan and then extract personal information of all kinds from them and submit them to endless pop up advertisements.

As the creators of this site and the Trojan horse file will not stop their illegal activities i would like to formally request that this site be closed down imediatley ( subject to your legal obligation) in order to prevent the spread of this virus and to stop the perpetrators collecting anymore personal information on any of its victims.

The site is being monitored and a group of victims is currently spreading the word of this site and the security risk envolved. We feel let down by the fact that to date the site is still operational and that no action seems to have been taken by cybercon.com in order to stop this activity, we feel that if Microsoft where to contact you over a warez site or site offering serial keys etc you would not fail in your legal obligation to shut the site down imediately.

Please can you ensure that action is taken.[/i:121b6c0689]