Online Advertising

CoolWebSearch

CoolWebSearch (also known as CWS) first appeared in May 2003 and is well known as a malicious keylogging^[1] program which installs itself on Windows based computers.

Effects

CoolWebSearch has numerous effects when it is successfully installed on a users computer. The program can change an infected computer's web browser homepage to coolwebsearch.com, and although originally thought to only work on Internet Explorer, recent variants affect Firefox as well as others. It can also create pop-up ads that redirect to other websites including pornography sites, collect private information about users and slow the speed of infected computers. Coolwebsearch uses innovative techniques to evade detection and removal, and as such many common spyware removal programs fail to properly remove the software.

All versions of CoolWebSearch are installed by 'driveby', in which a computer browsing a webpage automatically installs CWS. CWS itself attempts to evade others by not labelling its ads, not providing an EULA, not providing any data about itself and not having a website. Certain variants insert links on random text, leading to advertiser websites. The webmasters haven't any control over this. Other attempts to travel to websites are redirected to false search engines used to install more malware and carrying ads. CWS also adds bookmarks to pornography and gambling sites on the desktop and in the Bookmarks folder. Certain versions attempt to edit users' trusted sites and twist security settings as well as battle back against removal programs. The CWS.Look2Me variant also hooks into the Windows XP logon system and tracks visited websites as well as downloading further malware. Other variants are named for the effects they have, such as msconfig, Msoffice, Mupdate, Msinfo and Svchost32.

Creators

The website coolwebsearch.com claims that they are not responsible for the browser hijacking. ^[2] They run an affiliate program which pays affiliates to direct others to their site which has paid advertising links. Interestingly coolwebsearch.com's terms of service use the laws of Quebec, whilst their DNS registration lists an address in the British Virgin Islands, whilst their web server appears to be run by HyperCommunications in Massachusetts. CoolWebSearch is also linked to CoolWebSearch.org and appears to be related to webcoolsearch.com.

In August 5, 2005 Sunbelt Software reported to the FBI that similar keylogging software forms part of a massive spyware ring that collects "chat sessions, user names, passwords, bank information, etc...eBay accounts...highly personal information". ^{[3] [4]})

"About:blank" is the generic name for different variants (CWS.Hiddendll, se.dll, CWS.Homesearch) which hijacks the browser, causes pop ups and reduces computer speed. This is one of the most common but hardest variants to remove. ^[5]

Removal

There are programs such as CWShredder and McAfee's Beta Command-Line Scanner which can be used to remove the vast majority of CoolWebSearch variants from infected computers. The Windows' System Restore can reportedly remove some, but possibly not all, variants of CoolWebSearch.

Some variants will create a randomly named .dll file into winlogon.exe, which cannot be unloaded and has to be deleted upon reboot. The same variants will also inject a file named "guard.tmp" into rundll32.exe which can be removed. Rundll32.exe will also run a CoolWebSearch .dll upon boot with these variants.

CoolWebSearch has been reported to download other spywares such as Apropos Media, DyFuCa, Look2Me and TargetSavers.

Variants

1. CWS.Aboutblank
2. CWS.Addclass
3. CWS.Alfasearch
4. CWS.Bootconf
5. CWS.Cassandra
6. CWS.Control
7. CWS.Ctfmon32
8. CWS.Datanotary
9. CWS.Dnsrelay
10. CWS.Dreplace
11. CWS.Gonnasearch
12. CWS.Googlems
13. CWS.Hiddendll
14. CWS.Homesearch
15. CWS.Loadbat
16. CWS.Msconfd
17. CWS.Msconfig
18. CWS.Msinfo
19. CWS.Msoffice
20. CWS.Msspi
21. CWS.Mupdate
22. CWS.Oemsyspnp
23. CWS.Olehelp
24. CWS.Oslogo
25. CWS.Qttasks
26. CWS.Q-url3
27. CWS.Realyellowpage
28. CWS.Searchx
29. CWS.Smartfinder
30. CWS.Smartsearch
31. CWS.Sounddrv
32. CWS.Svchost32
33. CWS.Svcinit
34. CWS.Systeminit
35. CWS.Systime
36. CWS.Tapicfg
37. CWS.Therealsearch
38. CWS.Vrape
39. CWS.Xmlmimefilter
40. CWS.Xplugin
41. CWS.Xxxvideo
42. CWS.Yexe
43. CWS.Winproc32
44. CWS.Winres
45. CWS.Xmlmimefilter
46. CWS.Aboutblank
47. CWS.Systeminit
48. CWS.Sounddrv
49. CWS.Searchx
50. CWS.Realyellowpage
51. CWS.SysTime
52. CWS.HomeSearch
53. CWS.Look2Me
54. CWS.MSFind
55. CWS.Cassandra

Affiliate variants

1. CWS.Aff.iedll
2. CWS.Aff.Madfinder
3. CWS.Aff.Tooncomics
4. CWS.Aff.Winshow

External links and References

1. ↑  Alex Eckelberry (2005). Identity Theft? What to do?. SunBeltBLOG. Mountain View: Google. URL accessed on October 16, 2005.
2. ↑  The term about:blank when presented as a web address (URI) is interpreted by most modern web browsers as a command to render a blank HTML page.
3. theinternetpatrol.com
4. trendmicro.com
5. cwsshredder.net

Home | Up | Keystroke logging | AntiVirus Gold | Bonzi Buddy | C2.LOP | CoolWebSearch | HuntBar | Internet Optimizer | PSGuard | SpyAxe | SpyTrooper | WorldAntiSpy | XXXDial | Zango Messenger | Phone Home | Claria Corporation | Cydoor | New.net

Online Advertising, made by MultiMedia | Free content and software

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.