Return to Jim World

CoolWebSearch - Crossbred Scumware/Trojan

		FAST TRACK: Removal Ratings Explained Glossary Application type: Scumware Security Compromise: No. Advertising: Yes. Privacy Violation: Possible. Stability Problems: CoolWebSearch is host to a variety of problems - partial listing: Massive slowdowns in IE, system reboots, conflicts and problems. Overall Risk: Scum Rating: Security & Privacy Risk: A lengthy description of numerous symptoms caused by the CoolWebSearch trojan is listed below. A discussion about Smartsearch.ws homepage hijacking (a CoolWebSearch variant) is located in the forums with several solutions. Current Updates: As of June 28, 2004 Merijn has abandoned updating CoolWebShredder - the only utitlity known to remove most CoolWebSearch variants. Its growing complexity and the difficulty of removing the latest CoolWebSearch variants coupled with decreasing time available have culminated in the decision to stop updating CoolWebShredder. With a little over 2700 emails waiting to be answered its not hard to see why. In addition to his overflowing inbox, the latest variants of CoolWebSearch are nearly impossible to remove with an automated tool. If you are the victim of the latest round of CoolWebSearch trojans you may be able to get additional help removing it by visiting Spywareinfo.com which also mirrors the Merijn site. If the site is inaccessible try waiting before trying it again. As the host of the Merijn site, it is unfortunately subject to frequent DDOS attacks from CoolWebSearch. Related article: CoolWebSearch is Winning the Trojan War Operating Systems Affected: CoolWebSearch successfully attacks Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me. CoolWebSearch and its variants will not affect Windows 3.x, Macintosh, OS/2, UNIX, or Linux . Description: CoolWebSearch is a particularly virulent scumware program, that commonly hijacks the browser and redirects a visitor to either CoolWebSearch or any of its affiliates. It is considered to be a 'crossbred' strain of scumware because it has the characteristics of both scumware and a trojan virus. Although it appears to be a scumware program, effectively disguising its true nature it is technically coded as a trojan. This makes detection of CoolWebSearch extremely difficult at times. McAfee Security provides a good definition of a trojan: "A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive. Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses." The difficulty in removing CoolWebSearch has increased with each release of the latest strain. Common variants and updates: One of the most common variants of the CoolWebSearch trojan is one that directs users to the smartsearch.ws homepage. On February 2, 2004 the smartsearch.ws domain name was shut down and re-directions to that site turned up blank pages. Relief was short lived - On February 8,2004 that name was changed to MagicSearch.ws and the scumbags happily contained to distribute this trojan. During the period of February 11 - 14, 2004 the Merijn site as well as a few other anti-spyware sites were inaccessible due to a massive DDOs attack. Updates for CoolWebShredder and other general functions of the site were unavailable. The site has since moved to new hosting to prevent a reoccurrence of the problem. All old links should work unless directly referenced by an IP address. (June 28,2004 - CoolWebSearch continues to target the site. If it is unaccessible keep trying.) Aliases: Depending on the anti-virus solution used, CoolWebSearch may or may not be detected under any a variety of names. Following is a list of some aliases utilized by different anti-virus programs. ** Please note that I am not 100% confident that the list below is accurate for all variants of CoolWebSearch. Based on the descriptions available I suspect that they are. If you have updated information about whether or not the following are variants of CoolWebSearch please let me know.**: Win32.Startpage.C Trojan.Win32.StartPage.d Trojan:Win32/StartPage.C Troj/StartPageD W32/Linkadd.A (Norman) JS.CSSPopup.B JScript/IEstart.Trojan Win32/IEstart.Trojan SPYW_COOLWEB.A Exploit-ByteVerify Java/Shinwow.F.Blackbox.Trojan JS.Exception.Exploit Trojan.Bootconf Trojan.Qhosts.A Trojan.Qhosts.B JAVA_BYTEVER.A JS_FORTNIGHT.B JAVA_JJBLACK.C Trojan.ByteVerify How do you get it? As this particularly nasty little program has grown in complexity the ability of CoolWebSearch to insinuate itself on your PC has grown along with it. Although at one time CoolWebSearch was little more than a nuisance and a fake stylesheet recent strains have proved to be more difficult to both detect and remove. Currently it is suspected that CoolWebSearch is distributed by pop-up ads which exploit known security holes in Microsoft Windows. A good description of this exploit is provided by Merijn.org: This is a growing family of trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine. The variants of this trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry. As a result the best prevention you have against CoolWebSearch is keeping up to date with the security patches and updates available from Microsoft. Details: CoolWebSearch redirects users to various affiliate sites. At this time the following sites are known to be affiliated with well known strains of CoolWebSearch: 193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, alfa-search.com, allhyperlinks.com, activexupdate.com,approvedlinks.com, bannedhost.net, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwebsearch., coolwwwsearch., couldnotfind.com, defaultsearch.net, dev.ntcor.com, drvvv.com, ehttp.cc , ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, globesearch.com, gonnasearch.com, gratis-porn-movie.com, hardloved.com, idgsearch.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, luckysearch.net, madfinder.com, martfinder.com, mature50.com, mommykiss.com, mywebsearch.net, nkvd.us, noblindlinks.com, nocensor.com, ok-search.com, omega-search.com, pedo.ws, runsearch.com, search-2003.com, search2004.net, search.thestex.com, search.xrenoder.com, searchdesire.com, searchdot.net, searchnow.ws, searchv.com, searchxp.com, sharempeg.com, sixroads.com, slawsearch.com, slotch.com, smart-finder.biz, start-space.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, therealsearch.com, tooncomics.com, topsearcher.com, umaxsearch.com, unipages.cc,vrape.hardloved.com web-search.tk, white-pages.ws,windoww.cc, xwebsearch.biz , youfindall.com, youfindall.net, yourbookmarks.info, and yourbookmarks.ws (*Some sites from the above list provided by SpyWareInfo.) Although this list seems extensive, the domain names above are only a partial listing. At the present time over 1000 domains are known to be affiliates of CoolWebSearch and the list is growing on a daily basis. Depending on the CoolWebSearch variant installed any of the following symptoms may appear either by themselves or in combination with other problems: Problems in Internet Explorer: Massive slowdowns of Internet Explorer Illegible URLs or addresses in Internet Explorer Redirections to alternate sites when mistyping URLs Startpage & search page changed on reboot or changed to any one of the affiliate sites Start page and/or search pages changed to activexupdate.com in the Internet Explorer Trusted Zone Popup's with 'enhanced results' when doing searches on Google, Yahoo and Altavista Redirections to any one of the affiliate sites 'Customize Search Assistant' closing after opening Slow scrolling in IE Homepage changed to 'http:///' Redirections to "run search" when mistyping URLs or to *.masspass.com Internet Explorer pages hijacked to ie-search.com Tons of bookmarks added to IE Favorites Browser Helper Object (BHO) added to Internet Explorer called 'winshow.dll' or 'BrowserHelper.dll' Problems with Adult Content: Redirections to a variety of adult sites, telephone dialers etc. Bookmarks to porn sites added to the favorites list (including potential child porn links) Adult sites appearing incomplete in Internet Explorer Redirections with mistyped URL's to adult sites Targets of hyperlinks on website's changed to porn sites Problems with Windows: After rebooting, CWS variants are reloaded Errors indicating a missing file called 'msinfo.exe' Errors from the file 'info32.exe' Errors from the files 'iedll.exe' or 'loader.exe' on startup Message about a 'runtime error' at startup DOS window flashing by at system startup Fake error message about the file 'msconfd.dll' at startup Anti-spyware removal tools and programs closing a few seconds after opening Obviously, considering the extensive list above, the problems encountered with the CWS trojan and its variants are widespread. How does it Violate Privacy? In order to insinuate itself on your PC the CWS trojan will hide itself from a user, stay resident in the background, show advertisements, make changes to browser settings and connect to the internet by itself to self update. In the process it may collect information about your PC, track information with cookies and/or transfer personally identifiable information. In addition to the above, adding sites to the Internet Explorer's trusted zone means that the site can download and install any code on your PC without consent. Are there any known security issues? CWS variants are capable of automatically self updating, installing software and services on your computer and some variants install a 'mini server' on your PC. Stability problems: There are a variety of stability problems depending on the version installed. CWS can cause a marked decrease in PC performance, lock-ups, reboots and error messages. Please see the "Details" section for a more in depth listing of problems. Additional Notes: In general, an average install of the CWS program will install a wide variety of damaging files, modify the registry and generally make life difficult. Simple removal with most general scumware and spyware removal programs will not remove all CWS variants and not all anti-virus solutions will detect it. Terminating CWS: Please be careful when attempting to remove CWS, some variants such as CWS.Msspi will hook the LSP chain. Incorrect removal (simply deleting the inserted dll) will result in lost network and Internet connections. Courtesy of PestPatrol To fully remove the CWS trojan and all of its variants the best solution is a program called CoolWebShredder. Manual removal can be close to impossible with some variants but if you feel adventurous please visit the Cool Web Chronicles which details each variant in great length. For these reasons manual removal instructions are not provided here. To remove CWS and its variants you can download the CoolWebShredder program here: http://www.merijn.org/downloads.html. If you find his program useful please donate so that Merign can continue his work. There are a few known problems with removing this, so read the following carefully if you're still having troubles: If you are unable to visit Merijn's site the direct download link for the program is **http://216.180.233.153/~merijn/files/CWShredder.exe** This link is currently not working as the site changes hosts. I will update this with a current link when it becomes available. This problem is caused by a CWS variant known as either CWS.Aff.Tooncomics or CWS.Dreplace. If your anti-spyware removal program is closing before starting you will have to download and run PepiMK's CoolWWWSearch.SmartKiller removal tool first before running the CoolWebShredder program to remove CWS variants. If you get an error in Windows stating that the "MSVBVM60.DLL missing" you'll need to get the updated runtime libraries for Microsoft Visual Basic 6 first. After removing the program you may also have to restore your Internet Explorer settings to return your PC to its operating state before the CWS variant hijacked your browser. In order to do this, please follow the steps below: Open up Internet Explorer. Select "Tools> Internet Options" from the Internet Explorer menu. Navigate and choose the "Programs" tab. Select the "Reset Web Settings" button. After choosing this button the "The Reset Web Settings" dialog box will appear. Scroll down and make sure that "Also reset my home page" box is checked. Select "Yes" and click "Ok". The above procedure will reset all of the default settings in Internet Explorer including the default home page. This will reset Internet Explorer's default home page and search page. Please note that this will not necessarily reset your homepage to a customized site. If you had previously chosen another site you will have to reset these settings. This article was written with substantial help from Merijn Bellekom's site a student in the Netherlands who has dedicated his time to tracking this trojan. For additional information on CoolWebSearch please visit the following sites: Virus Information Center Spyware Info CWS article Symantec Security Response Trend MicroSystems Virus Information Microsoft Security Bulletin MS03-011: Flaw in Microsoft VM Could Enable System Compromise (816093) What You Should Know About Microsoft Security Bulletin MS03-011: Security Update for Microsoft Virtual Machine