InterMute > Threat
Research
Whazit is an Internet Explorer toolbar and home-/search-/error-
page hijacker pointed at its controlling server whazit.com.
Some versions of Whazit also install the nCase parasite.
Variants
Whazit/bho is an early version, always stored under
the filename 'bho.dll' in the Windows folder.
Whazit/Rnd is similar to the bho variant, but uses
random eight-letter filenames.
Whazit/Whattt uses one BHO called 'whattt.dll' along
with another called either 'outones.dll' or 'newones.dll'.
Whazit/Whattn uses 'whattn.dll', and may still have
the 'newones.dll' left over.
Distribution
Installed by ActiveX drive-by-download to victims clicking
links to the OutWar online game, and by the 'crackz' sites
trinsic.org and cerials.net (who are also LOP
distributors).
What it does
Advertising
No.
Privacy violation
Not known.
Security issues
Yes. Whazit can download and execute arbitrary unsigned code
from its controlling server, as a self-updating feature.
Stability problems
Yes. On some systems, Whazit/Whattt may open an error window
from 'whaimager' every time a new Internet Explorer window
is opened.
Removal
In the Whazit/Whattt variant, there may be an entry in the
Control Panel's Add/Remove Programs feature for 'whazit tools'.
Manual removal
bho variant
Open a DOS command prompt window (from Start->Programs->Accessories),
and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "..\bho.dll"
Restart the computer and you should be able to delete the
file bho.dll from the Windows folder.
Rnd variant
First, you need to find out what the name of the file is.
It will be inside the Windows folder, in capitals letters,
eight letters long with the extension .DLL. If you can't find
it by looking, try looking in the registry (from Start->Run->regedit)
and opening the key HKEY_CLASSES_ROOT\CLSID\{D5B72AED-E54A-11D6-B1B2-444553540000}.
Click the 'InProcServer32' subkey and the '(Default)' value
on the right should tell you the filename.
Open a DOS command prompt window (from Start->Programs->Accessories),
and enter the following commands, replacing the XXXXXXXX with
the relevant letters:
cd "%WinDir%\System"
regsvr32 /u "..\XXXXXXXX.DLL"
Restart the computer and you should be able to delete this
file.
Whattt variant
Open a DOS command prompt window (from Start->Programs->Accessories),
and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "..\whattt.dll"
regsvr32 /u "..\outones.dll"
regsvr32 /u "..\newones.dll"
(one of the latter two commands should generate an error,
because normally only one of the files outones.dll and newones.dll
is present at a time.)
Restart the machine and you should be able to delete the
whattt.dll and outones.dll/newones.dll files from the Windows
folder.
Whattn variant
Open a DOS command prompt window (from Start->Programs->Accessories),
and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "..\whattn.dll"
regsvr32 /u "..\newones.dll"
Restart the machine and you should be able to delete the
whattn.dll and newones.dll files from the Windows folder.
All variants
Having removed the software, you can now reset your home
page (from Internet Options->General->Start page) and
search pages (from Internet Options->Programs->Reset
Web Settings). You can also open the registry (Start->Run->regedit)
and delete the key HKEY_LOCAL_MACHINE\Software\wms to clean
up if you like. Finally, open Downloaded Program Files in
the Windows folder, and delete the entry {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F}
if you have it.
|
