$_SERVER["REMOTE_ADDR"] = preg_replace('/.*,\s*/','', $_SERVER["HTTP_X_FORWARDED_FOR"]);
Notice: Undefined index: related in /data/www/spywareguide/product_show.php on line 49
Notice: Undefined variable: incprefix in /data/www/spywareguide/product_show.php on line 241
Program that delivers advertisements on your PC.
Note that many websites have their own advertising, unrelated to adware.
Installed via downloads from the "Twisted Humor" website (twistedhumor.com). These executable downloads include games and animations with a .exe extension.
Upon installing a TwistedHumor download, the installer writes the following other files in addition to the game/animation program:
The program may also write a wnad.log file.
It then adds a registry key in HKEY_LOCAL_MACHINE\Software\Microsfot\Windows\CurrentVersion\Run
so that wnad.exe is executed every time the computer is started.
Upon successful install, wnad.exe initiates a connection to www.twistedhumor1.com that appears to be a sort of "registration" for the program via SSL:
It creates and transmits a GUID.
The wnad.exe software then performs a key exchange with the server and transmits encrypted (SSLv3) information. We are presently unable to decrypt this transmission.
As directed by its controlling servers, the software may enter a 'sleep mode' for at least ten days after its initial installation. During this sleep mode, it will 'lay low' by not displaying ads.
During normal operation, the program will contact Web sites including, but not limited to, the following for the purpose of downloading advertising for display, and for obtaining configuration/display instructions:
The wnad.exe program is coded to detect Web browsers installed on your system, most likely to coordinate the opening of new popups with Web browser activity. The version we examined looks for iexplore.exe (Internet Explorer), netscape.exe (Netscape Navigator), and AOL.exe (AOL browser/software).
The path to each program is taken from the Registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
The program may also attempt to alter the "Open" command for the browser so that it loads a page of advertising when opened.
WNAD.EXE can be removed by first terminating the program using the Close Program (Ctrl-Alt-Del) dialogue, then deleting the WNAD.EXE and WNAD.DAT files. It is also advised, although not necessary, to delete the program's Registry key in HKEY_LOCAL_MACHINE\Software\Microsfot\Windows\CurrentVersion\Run, or (if using Win98 or higher) use MSCONFIG to remove the entry. If you receive an "in use" error deleting any files, the program is still running--you may have to kill it several times in the Close Program dialogue.