Home » Articole » EN » Computers » Computer security » Spyware » CoolWebSearch

CoolWebSearch

CoolWebSearch (also known as CWS) first appeared in May 2003 and is well known as a malicious keylogging[1] program which installs itself on Windows based computers.

Effects

CoolWebSearch has numerous effects when it is successfully installed on a users computer. The program can change an infected computer’s web browser homepage to coolwebsearch.com, and although originally thought to only work on Internet Explorer, recent variants affect Firefox as well as others. It can also create pop-up ads that redirect to other websites including pornography sites, collect private information about users and slow the speed of infected computers. Coolwebsearch uses innovative techniques to evade detection and removal, and as such many common spyware removal programs fail to properly remove the software.

All versions of CoolWebSearch are installed by ‘driveby’, in which a computer browsing a webpage automatically installs CWS. CWS itself attempts to evade others by not labelling its ads, not providing an EULA, not providing any data about itself and not having a website. Certain variants insert links on random text, leading to advertiser websites. The webmasters haven’t any control over this. Other attempts to travel to websites are redirected to false search engines used to install more malware and carrying ads. CWS also adds bookmarks to pornography and gambling sites on the desktop and in the Bookmarks folder. Certain versions attempt to edit users’ trusted sites and twist security settings as well as battle back against removal programs. The CWS.Look2Me variant also hooks into the Windows XP logon system and tracks visited websites as well as downloading further malware. Other variants are named for the effects they have, such as msconfig, Msoffice, Mupdate, Msinfo and Svchost32.

Creators

The website coolwebsearch.com claims that they are not responsible for the browser hijacking. [2] They run an affiliate program which pays affiliates to direct others to their site which has paid advertising links. Interestingly coolwebsearch.com’s terms of service use the laws of Quebec, whilst their DNS registration lists an address in the British Virgin Islands, whilst their web server appears to be run by HyperCommunications in Massachusetts. CoolWebSearch is also linked to CoolWebSearch.org and appears to be related to webcoolsearch.com.

In August 5, 2005 Sunbelt Software reported to the FBI that similar keylogging software forms part of a massive spyware ring that collects “chat sessions, user names, passwords, bank information, etc…eBay accounts…highly personal information”. [3] [4])

“About:blank” is the generic name for different variants (CWS.Hiddendll, se.dll, CWS.Homesearch) which hijacks the browser, causes pop ups and reduces computer speed. This is one of the most common but hardest variants to remove. [5]

Removal

There are programs such as CWShredder and McAfee’s Beta Command-Line Scanner which can be used to remove the vast majority of CoolWebSearch variants from infected computers. The Windows’ System Restore can reportedly remove some, but possibly not all, variants of CoolWebSearch.

Some variants will create a randomly named .dll file into winlogon.exe, which cannot be unloaded and has to be deleted upon reboot. The same variants will also inject a file named “guard.tmp” into rundll32.exe which can be removed. Rundll32.exe will also run a CoolWebSearch .dll upon boot with these variants.

CoolWebSearch has been reported to download other spywares such as Apropos Media, DyFuCa, Look2Me and TargetSavers.

Variants

  1. CWS.Aboutblank
  2. CWS.Addclass
  3. CWS.Alfasearch
  4. CWS.Bootconf
  5. CWS.Cassandra
  6. CWS.Control
  7. CWS.Ctfmon32
  8. CWS.Datanotary
  9. CWS.Dnsrelay
  10. CWS.Dreplace
  11. CWS.Gonnasearch
  12. CWS.Googlems
  13. CWS.Hiddendll
  14. CWS.Homesearch
  15. CWS.Loadbat
  16. CWS.Msconfd
  17. CWS.Msconfig
  18. CWS.Msinfo
  19. CWS.Msoffice
  20. CWS.Msspi
  21. CWS.Mupdate
  22. CWS.Oemsyspnp
  23. CWS.Olehelp
  24. CWS.Oslogo
  25. CWS.Qttasks
  26. CWS.Q-url3
  27. CWS.Realyellowpage
  28. CWS.Searchx
  29. CWS.Smartfinder
  30. CWS.Smartsearch
  31. CWS.Sounddrv
  32. CWS.Svchost32
  33. CWS.Svcinit
  34. CWS.Systeminit
  35. CWS.Systime
  36. CWS.Tapicfg
  37. CWS.Therealsearch
  38. CWS.Vrape
  39. CWS.Xmlmimefilter
  40. CWS.Xplugin
  41. CWS.Xxxvideo
  42. CWS.Yexe
  43. CWS.Winproc32
  44. CWS.Winres
  45. CWS.Xmlmimefilter
  46. CWS.Aboutblank
  47. CWS.Systeminit
  48. CWS.Sounddrv
  49. CWS.Searchx
  50. CWS.Realyellowpage
  51. CWS.SysTime
  52. CWS.HomeSearch
  53. CWS.Look2Me
  54. CWS.MSFind
  55. CWS.Cassandra

Affiliate variants

  1. CWS.Aff.iedll
  2. CWS.Aff.Madfinder
  3. CWS.Aff.Tooncomics
  4. CWS.Aff.Winshow

Links and References

  1. Alex Eckelberry (2005). Identity Theft? What to do?. SunBeltBLOG. Mountain View: Google. URL accessed on October 16, 2005.
  2. The term about:blank when presented as a web address (URI) is interpreted by most modern web browsers as a command to render a blank HTML page.
  3. theinternetpatrol.com
  4. trendmicro.com
  5. cwsshredder.net

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Leave a Reply

Your email address will not be published. Required fields are marked *