CoolWebSearch
Online Advertising
CoolWebSearch
CoolWebSearch (also known as CWS) first appeared in May
2003 and is well known as a
malicious keylogging[1]
program which installs itself on
Windows based computers.
Effects
CoolWebSearch has numerous effects when it is successfully installed on a
users computer. The program can change an infected computer's web browser
homepage to coolwebsearch.com, and although originally thought to only work on
Internet Explorer, recent variants affect Firefox as
well as others. It can also create
pop-up ads
that redirect to other websites including
pornography sites, collect private information about users and slow the
speed of infected computers. Coolwebsearch uses innovative techniques to evade
detection and removal, and as such many common spyware removal programs fail to
properly remove the software.
All versions of CoolWebSearch are installed by 'driveby', in which a computer
browsing a webpage automatically installs CWS. CWS itself attempts to evade
others by not labelling its ads, not providing an EULA, not providing any data
about itself and not having a website. Certain variants insert links on random
text, leading to advertiser websites. The webmasters haven't any control over
this. Other attempts to travel to websites are redirected to false search
engines used to install more malware and carrying ads. CWS also adds bookmarks
to pornography and gambling sites on the desktop and in the Bookmarks folder.
Certain versions attempt to edit users' trusted sites and twist security
settings as well as battle back against removal programs. The CWS.Look2Me
variant also hooks into the Windows XP logon system and tracks visited websites
as well as downloading further malware.
Other variants are named for the effects they have, such as msconfig, Msoffice,
Mupdate, Msinfo and Svchost32.
Creators
The website coolwebsearch.com claims that they are not responsible for the
browser hijacking.
[2] They run an affiliate program which pays affiliates to direct
others to their site which has paid advertising links. Interestingly
coolwebsearch.com's terms of service use the laws of Quebec, whilst their DNS
registration lists an address in the British Virgin Islands, whilst their web
server appears to be run by HyperCommunications in Massachusetts. CoolWebSearch is also linked to CoolWebSearch.org and appears
to be related to webcoolsearch.com.
In August 5, 2005 Sunbelt Software reported to the FBI that similar keylogging software forms part of
a massive spyware ring that collects "chat sessions, user names, passwords, bank
information, etc...eBay accounts...highly personal information".
[3]
[4])
"About:blank" is the generic name for different variants (CWS.Hiddendll,
se.dll, CWS.Homesearch) which hijacks the browser, causes pop ups and reduces
computer speed. This is one of the most common but hardest variants to remove.
[5]
Removal
There are programs such as CWShredder and McAfee's Beta Command-Line Scanner
which can be used to remove the vast majority of CoolWebSearch variants from
infected computers. The Windows' System Restore can reportedly remove some, but possibly not all, variants of
CoolWebSearch.
Some variants will create a randomly named .dll
file into winlogon.exe, which cannot be unloaded and has to be deleted upon
reboot. The same variants will also inject a file named "guard.tmp" into
rundll32.exe which can be removed. Rundll32.exe will also run a CoolWebSearch .dll
upon boot with these variants.
CoolWebSearch has been reported to download other spywares such as Apropos
Media, DyFuCa, Look2Me and TargetSavers.
Variants
- CWS.Aboutblank
- CWS.Addclass
- CWS.Alfasearch
- CWS.Bootconf
- CWS.Cassandra
- CWS.Control
- CWS.Ctfmon32
- CWS.Datanotary
- CWS.Dnsrelay
- CWS.Dreplace
- CWS.Gonnasearch
- CWS.Googlems
- CWS.Hiddendll
- CWS.Homesearch
- CWS.Loadbat
- CWS.Msconfd
- CWS.Msconfig
- CWS.Msinfo
- CWS.Msoffice
- CWS.Msspi
- CWS.Mupdate
- CWS.Oemsyspnp
- CWS.Olehelp
- CWS.Oslogo
- CWS.Qttasks
- CWS.Q-url3
- CWS.Realyellowpage
- CWS.Searchx
- CWS.Smartfinder
- CWS.Smartsearch
- CWS.Sounddrv
- CWS.Svchost32
- CWS.Svcinit
- CWS.Systeminit
- CWS.Systime
- CWS.Tapicfg
- CWS.Therealsearch
- CWS.Vrape
- CWS.Xmlmimefilter
- CWS.Xplugin
- CWS.Xxxvideo
- CWS.Yexe
- CWS.Winproc32
- CWS.Winres
- CWS.Xmlmimefilter
- CWS.Aboutblank
- CWS.Systeminit
- CWS.Sounddrv
- CWS.Searchx
- CWS.Realyellowpage
- CWS.SysTime
- CWS.HomeSearch
- CWS.Look2Me
- CWS.MSFind
- CWS.Cassandra
Affiliate variants
- CWS.Aff.iedll
- CWS.Aff.Madfinder
- CWS.Aff.Tooncomics
- CWS.Aff.Winshow
External links and References
-
↑
Alex Eckelberry (2005).
Identity Theft? What to do?. SunBeltBLOG. Mountain View: Google.
URL accessed on October 16, 2005.
-
↑ The term
about:blank when presented as a web address (URI) is interpreted by most
modern web browsers as a command to render a blank HTML page.
-
theinternetpatrol.com
-
trendmicro.com
-
cwsshredder.net
Home | Up | Keystroke logging | AntiVirus Gold | Bonzi Buddy | C2.LOP | CoolWebSearch | HuntBar | Internet Optimizer | PSGuard | SpyAxe | SpyTrooper | WorldAntiSpy | XXXDial | Zango Messenger | Phone Home | Claria Corporation | Cydoor | New.net
Online Advertising, made by MultiMedia | Free content and software
This guide is licensed under the GNU
Free Documentation License. It uses material from the Wikipedia.
|