from google search:
Advertising Spyware:
WNAD.EXE
Background
"Twistedhumor.com, the world’s
largest humor site, announces the launch of “Yo Mamma, Osama!” a free downloadable
game created as a catalyst for charitable donations to the American Red
Cross Disaster Relief Fund."
Update 1/19/02: Reports
are coming in that other Twistedhumor.com downloads are infected, including
Ebonics Xmas. I would recommend avoiding any twistedhumor.com software
until these matters have been satisfactorily resolved.
Yo Mamma, Osama! is a game
patterned after Hogan's Alley, Barney Blast and similar games. The goal
is to shoot at the world's favourite camel-fornicator and suspected terrorist, Osama bin Laden himself, as he pops up from behind sand dunes and the like.
SwapNut, a file-swapping
client, has also been confirmed by a reader to contain wnad.exe spyware.
Suspicious Activity
What you probably don't
notice is that the Yo Mamma, Osama! installer also writes several other
files to the disk:
wnad.exe
wnad.dat
wnad-update.exe
It then adds a registry key
in HKEY_LOCAL_MACHINE\Software\Microsfot\Windows\CurrentVersion\Run so
that wnad.exe is executed every time the computer is started.
The wnad.exe program initiates
connection to www.rankyou.com:80 and other sites, apparently for the purpose
of transferring personal information and downloading targeted advertising
for later display. (Time permitting, we hope to explore this data transfer
further.) According to reports, wnad.exe hijacks the Web browser to
display pop-up ads every hour or so. While it is claimed that the purpose
of the software is to raise money for the American Red Cross, the suspicious
activities associated with the software tend to cast distrust on these
claims.
Rankyou.com
is an online advertising company heavily promoting a hostile advertising technology called "Eyegrab". According to the Web site:
"...EyeGrab
allows the advertiser to combine both of these marketing cornerstones [branding
and ad-consumer interaction] into the ultimate advertising weapon. Burn
your brand's image into the minds of the consumers as you collect personal
information, gauge preferences, and make a customer for life. "
"Eyegrab" includes such things
as enormous scripted Flash ads that attach to the current browser window,
covering the Web page, and won't go away until clicked on [Sample]. "BrowserGrab" may be a more appropriate name for this ad scheme. Rankyou
also boasts the ability for companies to "purchase
a targeted consumer" and his/her personal information.
Removal Procedure
WNAD.EXE can be removed
by first terminating the program using the Close Program (Ctrl-Alt-Del)
dialogue, then deleting the WNAD.EXE and WNAD.DAT files. It is also advised,
although not necessary, to delete the program's
Registry key in HKEY_LOCAL_MACHINE\Software\Microsfot\Windows\CurrentVersion\Run,
or (if using Win98 or higher) use MSCONFIG to remove the entry. If you
receive an "in use" error deleting any files, the program is still running--you
may have to kill it several times in the Close Program dialogue.
More
Reports of WNAD being installed
by SwapNut, a Gnutella-like
file sharing utility, have been confirmed by readers. The spyware was also reportedly installed by the Viewpoint Media Player.
AI
