1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Wnad Activity

HTTP Wnad Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

Adware.Wnad is an adware program that displays advertisements and tracks browser information such as Web sites visited.

Additional Information

When Adware.Wnad is executed, it performs the following actions:

1. Attempts to contact [http://]www.twistedhumour.com/[REMOVED] and download a number of component files.

2. Creates the following directories on the compromised computer:

%ProgramFiles%\osama

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

3. Creates the following files on the compromised computer:

* osama.exe
* wnad.exe
* wnad.dat
* wnad-update.exe

4. Adds the value:

"Yo Mamma Osama Installer" = "%Random%\osama.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

Affected

  • Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Workstation rev.2031, rev.2072, rev.2195, SP1, SP2, SP3
  • Microsoft Windows NT 3.5, 4.0 SP6a alpha
  • Microsoft Windows NT Workstation 4.0, 4.0 SP6a
  • Microsoft Windows XP
  • Microsoft Windows XP Home SP1, SP2
  • Microsoft Windows XP Professional SP1, SP2

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions: http://www.symantec.com/security_response/writeup.jsp?docid=2005-121415-2026-99&tabid=3

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube