Full
Name: |
WNAD |
Type: |
Adware |
Created By: |
TwistedHumor |
Danger Level: |
4 |
Category Description: |
Program that delivers advertisements on your PC.
Note that many websites have their own advertising, unrelated to adware.
Adware is any software application in which advertising is displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen and sometimes through text links or in integrated search results. Adware may or may not track personal information. It may also gather information anonymously or in aggregate only. Users should check the EULA and Privacy policy to ensure if the adware on their machines conforms to their standards. |
Official Description: |
Installed via downloads from the "Twisted Humor" website (twistedhumor.com). These executable downloads include games and animations with a .exe extension. |
Comment: |
Upon installing a TwistedHumor download, the installer writes the following other files in addition to the game/animation program:
wnad.exe
wnad.dat
wnad-update.exe
The program may also write a wnad.log file.
It then adds a registry key in HKEY_LOCAL_MACHINE\Software\Microsfot\Windows\CurrentVersion\Run
so that wnad.exe is executed every time the computer is started.
Upon successful install, wnad.exe initiates a connection to www.twistedhumor1.com that appears to be a sort of "registration" for the program via SSL:
https://www.twistedhumor1.com/addorder.asp?a=0.02&c=1033145308-548335&b=confirm
It creates and transmits a GUID.
The wnad.exe software then performs a key exchange with the server and transmits encrypted (SSLv3) information. We are presently unable to decrypt this transmission.
As directed by its controlling servers, the software may enter a 'sleep mode' for at least ten days after its initial installation. During this sleep mode, it will 'lay low' by not displaying ads.
During normal operation, the program will contact Web sites including, but not limited to, the following for the purpose of downloading advertising for display, and for obtaining configuration/display instructions:
www.rankyou.com
www.twistedhumor.com
www.srv2cpt.com
The wnad.exe program is coded to detect Web browsers installed on your system, most likely to coordinate the opening of new popups with Web browser activity. The version we examined looks for iexplore.exe (Internet Explorer), netscape.exe (Netscape Navigator), and AOL.exe (AOL browser/software).
The path to each program is taken from the Registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
The program may also attempt to alter the "Open" command for the browser so that it loads a page of advertising when opened.
|
|
|
Properties: |
|
Manual Removal: |
WNAD.EXE can be removed by first terminating the program using the Close Program (Ctrl-Alt-Del) dialogue, then deleting the WNAD.EXE and WNAD.DAT files. It is also advised, although not necessary, to delete the program's Registry key in HKEY_LOCAL_MACHINE\Software\Microsfot\Windows\CurrentVersion\Run, or (if using Win98 or higher) use MSCONFIG to remove the entry. If you receive an "in use" error deleting any files, the program is still running--you may have to kill it several times in the Close Program dialogue. |
Back to the list of products removed by X-Cleaner
|