When Adware.Wnad is executed, it performs the following actions:
- Attempts to contact [http://]www.twistedhumour.com/[REMOVED] and download a number of component files.
- Creates the following directories on the compromised computer:
%ProgramFiles%\osama
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- Creates the following files on the compromised computer:
- osama.exe
- wnad.exe
- wnad.dat
- wnad-update.exe
- Adds the value:
"Yo Mamma Osama Installer" = "%Random%\osama.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
