twisted humor.com infect you with TROJANS!!

[FthrJACK]

righto.. for the past few weeks ive been thinking this and finally myself and chris found out the answer last night...

id recommend to anyone who has visited and downloaded from twistedhumor.com, go to c:WINDOWS and look for a file called wnad.exe and wnad.dat

there may be other components too (obviously its in the registry too)

this is a [b:2242809db2]TROJAN[/b:2242809db2] luckily i blocked it access to the net.. but on a few occasions my firewalls been down, it would explain why my ctrl alt del window is messed up and a few other things.. now i have to format again as theres enough damage done to warrant it.

this is the same trojan that chris has had and how his pc was broken into before, norton will not repair the file, and cant wipe it, you might be able to shut it off in ctrl alt del > services menu or boot in safe mode and kill it. norton hasnt found it on my pc in any scans... it wasnt till chris asked me about it and i opened the WINDOWS directory that norton went off when i highlighted the file.. until that piint it didnt make a peep, got updates today and we both found this file.. anyone else??

[b:2242809db2]BE WARNED[/b:2242809db2]

we are not responsible if you have problems with removing this or of any effects caused by attampting DO SO AT YOUR OWN RISK!!

[XPerties]

Yes I could never figure it out but tonight I updated Norton and and as soon as that happen it caught the dam thing. How to remove....Reboot into safe mode, go to the directory and delete both the .exe file and the .dat file. After I did that I re ran norton and The cleaner. Everything is ok now, If you know someone that has XP and any tweaked version tell them ASAP...This is a back door trojan.

-Chris

[Benholio]

I used the Eval Cd and upgraded it to the Corp CD using the Devils own kit and I dont have wnad.exe or dat on my system.Unless the system really hides it I couldn't find it.

Ben

[FthrJACK]

no. not everyne will have this but i expect a lot of people do!

[Benholio]

True, but we need to try and determine if this virus is in just the premade ISO, the upgrade kit, or something else if possible. Especially since we all kknow how many people wanted and eagerly downloaded this copy of XP.

Ben

[FthrJACK]

yeah, working on it, but i think it came with the ISO, although not all devils0wn ISO's may have it... anyone just domne a clean install of devil0wn? any help and info from you all would be great, lets try nail this down.

[Benholio]

I was asking in a channel on IRC amongst friends about this. Most of them dont have it. However I am sure they didn't get the origional ISO either. Most used the kits or got repacks that were offered as devilsowns Corp CD. Anyone else find it?

Ben

[Guest LouCypher]

I've been running a clean install of devilsown since the second week it after it was RTM with Norton Antivirus 2002 and Tiny Personal Firewall. I don't have either one of those on my system, and haven't gotten any trojans or virii.

I update NAV regularly and ran The Cleaner after XPerties recent problems and nothing was found by either program.

I think you guys are just sharing files with the [b:e3d1f46de1]wrong[/b:e3d1f46de1] people. Might also explain the [cheaters] file some of you are finding on your system. If you're getting a virus or trojan than modified ISO images or something.

I DON'T think this is a devils0wn issue, unless somebody hacked your copy before you downloaded it.

Size of my ISO: 512,342,016 (yours [b:e3d1f46de1]should[/b:e3d1f46de1] be the same?)

Size on disk: 512,344,064 (maybe different?)

[Benholio]

Another option would be runn a crc against your origional ISO you have. It will not match the know key for the MS corp CD.

Ben

[Guest LouCypher]

By default Windows XP doesn't set a password for users created during setup and put them all in the Administrator group. Unless you've set a good password and/or removed them from the Administrator's group then you're asking for trouble.

Any dumb script kiddie can scan you system for usernames, open shares, Remote Desktop service, etc. If you don't set a password and leave these users in Administrator group then they can easily copy whatever they want to your system.

By default all the harddrives have a secret share of C$, D$, etc.. in addition to IPC$. I've disabled mine (registry edit in my Tweaks thread sticky post).

If you don't believe me:

Right click "My Computer" -> Manage -> Shared Folders -> Shares.

[XxMaNsOnX]

I too have wnad.exe, and have studied it and have one single question to ask:

Did the people who have this visit ht*p://www.twistedhumor.com and check out the 'Yo Mama Osama' game that's been posted there, and linked to by some major sites? I did, and I think thats where this came from. Here's why:

I've gone through the binary, and after only looking at it for about 5 minutes, I've discovered some things.

1) It appears to *NOT* be a trojan, despite what norton says, but simple a program that launches popups, at an interval depending on how much your transfering. At least thats what it APPEARS to do, Im not an expert that works at SARC, but I am a programmer

2) It appears to popup an ad from: ht*p://www.twistedhumor.com/cgi-bin/redneck/redneck_show_popup.cgi?test_popup=1&company_name=SwapNutSoftware which appears to simply give a URL for it to connect to.

3) This has the ability to update its software, How I do not know yet

4) Other URL's that are hard coded into this binary:

ht*p://www.rankyou.com/wnad/

ht*p://www.srv2cpt.com/ad/

5) The name alone, wnAD, further makes me feel this is simply a VERY god awful and intrusive way of advertising.

I visited that site, and killed Osama, and now examining it, I truly believe that is where this originated.

Ah, I think it checks for updates from ht*p://www.rankyou.com/wnad/wnad.php and if theres a newer version, it uses ht*p://www.rankyou.com/wnad/wnad-update.exe, there is a wnad.exe there as well, but no wnad-update yet.

Someone want to compare these results? Like I said, I dont work for SARC

I will post more when I find out more....

--

XxMaNsOnX

Do not post active links on the forums....Edited by Mod[/color:5660f4cede]

[XPerties]

My God I think you fugured it out.[/size:24e804caf5]

I have been to this website and Im preety sure that FthrJACK was to. Im postitive that my girlfriends father also went to this site (He also found it on his system)....So Now I feel that something should be done about this. This if in fact turns out to be true is a invasion of our privacy.

One major question why would Nortan pick up on it but your statement leans towrds it not being a virus. You education expressed here is greatly appreciated...Ill be waiting to see what else you come up with.

-Chris

PS. I wounder if it some sort of terriost attack?! :mad:

[XxMaNsOnX]

Okay, Sorry about the links, I dont post here much, In fact, my first time.

Here's a simple way to just get rid of it:

First, Turn off Norton, as it wont let you run it. then, run wnad.exe /quit

Then you'll be allowed to delete it and what not, then remove it from running in the registry, its stored at:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun and just delete the WNAD key.

That's all it does to the registry, again, that I know of.

Other options that wnad will take (for those interested):

/log=on

/log=off

/use

/install

/quit

It also will not show any popups for 72 hours after it's been installed, I guess to prevent you from realizing how you got it.

I really don't think it's a trojan in any way. So I just want to make sure, If you have it, did you check out twistedhumor? If not, then I dont know.

Just remember that it autoupdates itself, so this could all change.

If it is in fact originating from that game, (which I felt cautious trying anyway, I dislike ActiveX, and now I remember why ) then twistedhumour is twisted indeed. Doubtful its a terrorist attack though, unless of course you consider evil money grubbing corporations terrorists

[b:6e3674edd5]AHA! PROOF![/b:6e3674edd5][/size:6e3674edd5]

Okay. Definate proof now. I just tried to reinstall the game to see if this was the cause. Sure enough, before installing it, I read the EULA. This is what it says:

The Osama Software includes added software and technology which allows Lions Pride Enterprises, Inc. to provide advertising content.

And:

TWISTEDHUMOR.COM DOES NOT WARRANT THAT THE OSAMA SOFTWARE, THE TWISTEDHUMOR.COM SERVERS, OR E-MAIL SENT FROM TWISTEDHUMOR.COM ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

So there we have it, Then after accepting the EULA, sure enough, Norton popped up with it's warning. Now, the EULA says they aren't respnsible, but I'm sure the law says another, class action anybody? I'll leave that to the lawyers

--

XxMaNsOnX

[XPerties]

Well with your information Ive conntacted Twisted humore web servers and notified them of what was going on. There going to (supposely) Take care of it....lol....Ya right. Your help was Highly appreciated!

-Chris

[FthrJACK]

yes.. before i read your posts (forum has been dead, too busy i think) id traced it back to them via netstat and arin.... so weve rung up the ISP and tried to get hold of them too but all their phones are dead.

did you check wnad.dat? i didnt get round to hex editing it so i havent found exactly what it does... but you obviously beat me to it, nice work mate, and about time you posted LOL

welcome to the forums :beer