Parasite: Whazit

This record last updated Tue Sep 20 2005 03:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

Whazit is an Internet Explorer toolbar and home-/search-/error- page hijacker pointed at its controlling server whazit.com.

Some versions of Whazit also install the nCase parasite.

Variants

Whazit/bho is an early version, always stored under the filename ‘bho.dll’ in the Windows folder.

Whazit/Rnd is similar to the bho variant, but uses random eight-letter filenames.

Whazit/Whattt uses one BHO called ‘whattt.dll’ along with another called either ‘outones.dll’ or ‘newones.dll’.

Whazit/Whattn uses ‘whattn.dll’, and may still have the ‘newones.dll’ left over.

Distribution

Installed by ActiveX drive-by-download to victims clicking links to the OutWar online game, and by the ‘crackz’ sites trinsic.org and cerials.net (who are also LOP distributors).

What it does

Advertising

No.

Privacy violation

Not known.

Security issues

Yes. Whazit can download and execute arbitrary unsigned code from its controlling server, as a self-updating feature.

Stability problems

Yes. On some systems, Whazit/Whattt may open an error window from ‘whaimager’ every time a new Internet Explorer window is opened.

Removal

In the Whazit/Whattt variant, there may be an entry in the Control Panel’s Add/Remove Programs feature for ‘whazit tools’.

Manual removal

bho variant

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "..\bho.dll"

Restart the computer and you should be able to delete the file bho.dll from the Windows folder.

Rnd variant

First, you need to find out what the name of the file is. It will be inside the Windows folder, in capitals letters, eight letters long with the extension .DLL. If you can’t find it by looking, try looking in the registry (from Start->Run->regedit) and opening the key HKEY_CLASSES_ROOT\CLSID\{D5B72AED-E54A-11D6-B1B2-444553540000}. Click the ‘InProcServer32’ subkey and the ‘(Default)’ value on the right should tell you the filename.

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands, replacing the XXXXXXXX with the relevant letters:

cd "%WinDir%\System"
regsvr32 /u "..\XXXXXXXX.DLL"

Restart the computer and you should be able to delete this file.

Whattt variant

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "..\whattt.dll"
regsvr32 /u "..\outones.dll"
regsvr32 /u "..\newones.dll"

(one of the latter two commands should generate an error, because normally only one of the files outones.dll and newones.dll is present at a time.)

Restart the machine and you should be able to delete the whattt.dll and outones.dll/newones.dll files from the Windows folder.

Whattn variant

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "..\whattn.dll"
regsvr32 /u "..\newones.dll"

Restart the machine and you should be able to delete the whattn.dll and newones.dll files from the Windows folder.

All variants

Having removed the software, you can now reset your home page (from Internet Options->General->Start page) and search pages (from Internet Options->Programs->Reset Web Settings). You can also open the registry (Start->Run->regedit) and delete the key HKEY_LOCAL_MACHINE\Software\wms to clean up if you like. Finally, open Downloaded Program Files in the Windows folder, and delete the entry {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} if you have it.

Links

• Mike Healan’s Whazit analysis at SpywareInfo
• Windows Media Solutions developed Whazit and run an affiliate scheme encouraging webmasters to use their installers.
• Whazit portal