CoolWebSearch

CoolWebSearch (also known as CoolWWWSearch or abbreviated as CWS) is a well-known spyware program that installs itself on Microsoft Windows based computers. It first appeared in May 2003.

Contents

Effects

CoolWebSearch has numerous effects when it is successfully installed on a user's computer.[1] The program can change an infected computer's web browser homepage to coolwebsearch.com, and although originally thought to only work on Internet Explorer, recent variants affect Mozilla Firefox as well as others. It can also create pop-up ads that redirect to other websites including pornography sites, collect private information about users and slow the speed of infected computers.

Coolwebsearch uses innovative techniques to evade detection and removal, and as such many common spyware removal programs fail to properly remove the software.[2]

Some versions of CoolWebSearch can be installed through drive-by installation, in which a computer browsing a webpage automatically installs CWS. CWS itself attempts to evade others by not labelling its ads, not providing an EULA, not providing any data about itself and not having a website. Certain variants insert links on random text, leading to advertiser websites. Other attempts to access websites are redirected to pay-per-click search engines that may install more malware display ads. Some variants of CWS also add links to pornography and gambling sites to the user's Desktop, Internet Explorer's bookmarks and history. Certain versions attempt to edit users' trusted sites and modify security settings as well as to hide from removal programs. Variants are often named for the effects they have such as msconfig, Msoffice, Mupdate, Msinfo and Svchost32.

Possible creators

The website claims that they are not responsible for the browser hijacking. They run an affiliate program that pays affiliates to direct others to their site with paid advertising links. Coolwebsearch.com's terms of service use the laws of Quebec, Canada, whilst their DNS registration lists an address in the British Virgin Islands, and their web server appears to be run by HyperCommunications in Massachusetts, USA. CoolWebSearch is also linked to CoolWebSearch.org and appears to be related to webcoolsearch.com. The names of the creators currently remain unknown.

Variants

  1. CWS.Aboutblank
  2. CWS.Addclass
  3. CWS.Alfasearch
  4. CWS.Bootconf
  5. CWS.CameUp
  6. CWS.Cassandra
  7. CWS.Control
  8. CWS.Ctfmon32
  9. CWS.Datanotary
  10. CWS.Dnsrelay
  11. CWS.Dreplace
  12. CWS.Gonnasearch
  13. CWS.Googlems
  14. CWS.Hiddendll
  15. CWS.Homesearch
  16. CWS.Loadbat
  17. CWS.Look2Me
  18. CWS.Msconfd
  19. CWS.Msconfig
  20. CWS.MSFind
  21. CWS.Msinfo
  22. CWS.Msoffice
  23. CWS.Msspi
  24. CWS.Mupdate
  25. CWS.Oemsyspnp
  26. CWS.Olehelp
  27. CWS.Oslogo
  28. CWS.Qttasks
  29. CWS.Q-url3
  30. CWS.Realyellowpage
  31. CWS.Searchx
  32. CWS.Smartfinder
  33. CWS.Smartsearch
  34. CWS.Sounddrv
  35. CWS.Svchost32
  36. CWS.Svcinit
  37. CWS.Systeminit
  38. CWS.Systime
  39. CWS.Tapicfg
  40. CWS.Therealsearch
  41. CWS.Vrape
  42. CWS.Winproc32
  43. CWS.Winres
  44. CWS.Xmlmimefilter
  45. CWS.Xplugin
  46. CWS.Xxxvideo
  47. CWS.Yexe

Affiliate variants

  1. CWS.Aff.iedll
  2. CWS.Aff.Madfinder
  3. CWS.Aff.Tooncomics
  4. CWS.Aff.Winshow

References

  1. ^ Spyware:Win32/Coolwebsearch.H entra at Microsoft's 'Malware Protection Center'
  2. ^ "...many of the Cool Web Search variants can prevent the other anti-spyware programs from doing their job correctly...", "Dealing with an infected PC", Charlie Russel, Microsoft MVP