CoolWebSearch (also known as CWS) first appeared in May 2003 and is well known as a malicious keylogging[1] program which installs itself on Windows based computers.
Effects
CoolWebSearch has numerous effects when it is successfully installed on a users computer. The program can change an infected computer’s web browser homepage to coolwebsearch.com, and although originally thought to only work on Internet Explorer, recent variants affect Firefox as well as others. It can also create pop-up ads that redirect to other websites including pornography sites, collect private information about users and slow the speed of infected computers. Coolwebsearch uses innovative techniques to evade detection and removal, and as such many common spyware removal programs fail to properly remove the software.
All versions of CoolWebSearch are installed by ‘driveby’, in which a computer browsing a webpage automatically installs CWS. CWS itself attempts to evade others by not labelling its ads, not providing an EULA, not providing any data about itself and not having a website. Certain variants insert links on random text, leading to advertiser websites. The webmasters haven’t any control over this. Other attempts to travel to websites are redirected to false search engines used to install more malware and carrying ads. CWS also adds bookmarks to pornography and gambling sites on the desktop and in the Bookmarks folder. Certain versions attempt to edit users’ trusted sites and twist security settings as well as battle back against removal programs. The CWS.Look2Me variant also hooks into the Windows XP logon system and tracks visited websites as well as downloading further malware. Other variants are named for the effects they have, such as msconfig, Msoffice, Mupdate, Msinfo and Svchost32.
Creators
The website coolwebsearch.com claims that they are not responsible for the browser hijacking. [2] They run an affiliate program which pays affiliates to direct others to their site which has paid advertising links. Interestingly coolwebsearch.com’s terms of service use the laws of Quebec, whilst their DNS registration lists an address in the British Virgin Islands, whilst their web server appears to be run by HyperCommunications in Massachusetts. CoolWebSearch is also linked to CoolWebSearch.org and appears to be related to webcoolsearch.com.
In August 5, 2005 Sunbelt Software reported to the FBI that similar keylogging software forms part of a massive spyware ring that collects “chat sessions, user names, passwords, bank information, etc…eBay accounts…highly personal information”. [3] [4])
“About:blank” is the generic name for different variants (CWS.Hiddendll, se.dll, CWS.Homesearch) which hijacks the browser, causes pop ups and reduces computer speed. This is one of the most common but hardest variants to remove. [5]
Removal
There are programs such as CWShredder and McAfee’s Beta Command-Line Scanner which can be used to remove the vast majority of CoolWebSearch variants from infected computers. The Windows’ System Restore can reportedly remove some, but possibly not all, variants of CoolWebSearch.
Some variants will create a randomly named .dll file into winlogon.exe, which cannot be unloaded and has to be deleted upon reboot. The same variants will also inject a file named “guard.tmp” into rundll32.exe which can be removed. Rundll32.exe will also run a CoolWebSearch .dll upon boot with these variants.
CoolWebSearch has been reported to download other spywares such as Apropos Media, DyFuCa, Look2Me and TargetSavers.
Variants
- CWS.Aboutblank
- CWS.Addclass
- CWS.Alfasearch
- CWS.Bootconf
- CWS.Cassandra
- CWS.Control
- CWS.Ctfmon32
- CWS.Datanotary
- CWS.Dnsrelay
- CWS.Dreplace
- CWS.Gonnasearch
- CWS.Googlems
- CWS.Hiddendll
- CWS.Homesearch
- CWS.Loadbat
- CWS.Msconfd
- CWS.Msconfig
- CWS.Msinfo
- CWS.Msoffice
- CWS.Msspi
- CWS.Mupdate
- CWS.Oemsyspnp
- CWS.Olehelp
- CWS.Oslogo
- CWS.Qttasks
- CWS.Q-url3
- CWS.Realyellowpage
- CWS.Searchx
- CWS.Smartfinder
- CWS.Smartsearch
- CWS.Sounddrv
- CWS.Svchost32
- CWS.Svcinit
- CWS.Systeminit
- CWS.Systime
- CWS.Tapicfg
- CWS.Therealsearch
- CWS.Vrape
- CWS.Xmlmimefilter
- CWS.Xplugin
- CWS.Xxxvideo
- CWS.Yexe
- CWS.Winproc32
- CWS.Winres
- CWS.Xmlmimefilter
- CWS.Aboutblank
- CWS.Systeminit
- CWS.Sounddrv
- CWS.Searchx
- CWS.Realyellowpage
- CWS.SysTime
- CWS.HomeSearch
- CWS.Look2Me
- CWS.MSFind
- CWS.Cassandra
Affiliate variants
- CWS.Aff.iedll
- CWS.Aff.Madfinder
- CWS.Aff.Tooncomics
- CWS.Aff.Winshow
Links and References
- ↑ Alex Eckelberry (2005). Identity Theft? What to do?. SunBeltBLOG. Mountain View: Google. URL accessed on October 16, 2005.
- ↑ The term about:blank when presented as a web address (URI) is interpreted by most modern web browsers as a command to render a blank HTML page.
- theinternetpatrol.com
- trendmicro.com
- cwsshredder.net
This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.
Leave a Reply