Weekly Spyware Alert: CoolWebSearch

August 18, 2003
By: Webroot Software Development Team
eXtremeTech


Variants: This spyware is morphing at a rapid rate. Below, variants and their estimated appearance date are listed in reverse chronological order.

DNSRelay.dll – August 7, 2003
Svchost32 – August 3, 2003
Oemsyspnp – July 29, 2003
Msspi.dll – July 28, 2003
Vrape – July 20, 2003
OSLogo.bmp – July 10, 2003
Bootconf – July 6, 2003
Datanotary – May 27, 2003

Description: CoolWebSearch is a name given to a wide range of different browser hijackers. The code is very different between variants, but all are currently used to redirect users to coolwebsearch.com and other sites affiliated with its operators. The alarming trend with this hijacker is rapid metamorphosis and the increasing difficulty of removal. Some documented behaviors associated with each variant include:

DNSRelay.dll - Implemented as an IE URL hook. Hijacks address bar search phrases as well as any site name entered into the address bar without a leading 'http://' or 'www' to search aimed at activexupdate.com (a CWS site redirecting through yellow2.com to allhyperlinks.com).
Svchost32 - Hosts file hijacker that uses a laundering technique to avoid detection by anti-hijacker tools. Targeted sites (Yahoo Search, MSN Search and all countries' versions of Google) are set in the Hosts file to point to 'localhost' (127.0.0.1). Because most local hosts are not running a web server, this results in an error page that is hijacked to the CWS site slawsearch.com.
Oemsyspnp - Hides inside the 'inf' folder usually used for storing device driver information. Its hijacker file is run on each startup, using a slightly different install command each time. Hijacks home page and search settings to point at www.adulthyperlinks.com and www.allhyperlinks.com and adds activexupdate.com to the IE 'Safe Sites' list.
Msspi.dll - Implemented as a Winsock2 Layered Service Provider. Hijacks search results and targets Google, Yahoo and Altavista, offering popups that advertised bogus enhanced results and leading to advertising from unipages.cc.
OSLogo.bmp - IE start and search pages are changed to several dozen different sites affiliated with CoolWebSearch. Over 80 domains that are known CWS have appeared in users' logs.
Bootconf - Also employs a CSS stylesheet, but hijacks homepage and all search settings to coolwebsearch.com. Site names are scrambled using URL-encoding to make them difficult to read. Bootconf.exe is set to run on every start-up, reestablishing the hijack. CoolWebSearch is added the IE 'Safe Sites' list.
Datanotary - First known variant, hijacks to datanotary.com. Places a CSS stylesheet in the Windows folder and sets it as the default sytlesheet for all pages viewed in IE. Embedded javascript code then tries to guess when a user is viewing pornographic images.

Method of Infection: CoolWebBrowser is suspected to be installed by pop-ups exploiting security holes in IE. However, to date, no one has caught a live CWS installer.

Privacy Issues: None reported

Security Issues: In the Bootconf variant, coolwebsearch.com is added to IE's Trusted Sites Zone, allowing it to download and install any code it likes.

Stability Issues: DataNotary and BootConf variants may cause significant slowdown when typing in a browser window on some systems (particularly when entering information into forms). The SvcHost variant prevents you from completely reaching Google or the search services of MSN or Yahoo.

Removal Process: Manual removal is possible for most of the variants, but can be time consuming. As of this writing, most anti-spyware programs aren't currently addressing all variants.

Merijn Bellekom has fully documented the metamorphosis of CoolWebSearch and has prepared a tool called CWShredder which should be able to remove all known CoolWebSearch variants automatically. To access both, visit The CoolWebSearch Chronicles.

Vendor: www.CoolWebSearch.com









Copyright (c) 2003 Ziff Davis Media Inc. All Rights Reserved.