When Adware.Wnad is executed, it performs the following actions:
- Attempts to contact [http://]www.twistedhumour.com/[REMOVED] and download a number of component files.
- Creates the following directories on the compromised computer:
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- Creates the following files on the compromised computer:
- Adds the value:
"Yo Mamma Osama Installer" = "%Random%\osama.exe"
to the registry subkey:
so that it runs every time Windows starts.