|
|
The CoolWebSearch Chronicles
|
This is an article which details the variants of the browser hijacker
known as CoolWebSearch (CWS). In the last few months, the people behind this
name have succeeded in becoming (IMHO) an even bigger nuisance than
the now infamous Lop.
The difficulty of removing CWS from a user's system has grown from slightly
tricky in the first variant to virtually impossible for the latest few.
Some of the variants even used methods of hiding and running themselves
that had never been used before in any other spyware strains.
The chronological order in which the CWS variants appeared is detailed here, along
with the approximate dates when they appeared online. However, since
the evil programmers of CWS have released over two dozen versions of
their hijacker on the advertising market in such a short time, and are
crunching out new ones steadily practically every week, this document
might be out of date at times.
The CWShredder tool to remove
Coolwebsearch will always be up to date and is updated as fast as
possible when new variants emerge.
Document last updated: April 17, 2004
|
|
|
CWS.Datanotary
|
Variant 1: CWS.Datanotary - Introduction to Destruction
Approx date first sighted:
May 27, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=8661
Symptoms: Massive IE slowdown, especially when typing text
into forms
Cleverness: 9/10
Manual removal difficulty: Very easy, if you know
where to look
Identifying lines in HijackThis log:
|
O19 - User stylesheet: c:\windows\my.css
|
The first variant of CoolWebSearch wasn't even identified as such. There only were
several threads of users experiencing enormous slowdowns in IE when typin messages into
text boxes. Delays of over a minute before the typed text appeared were reported.
Also some redirections to www.datanotary.com were reported.
The solution to this problem took a while to surface, but after a few weeks (which is
pretty long) someone reported the problem going away when going into IE Options,
Accessability and disabling the 'Use My Stylesheet' option. After that, the fake
stylesheet file could be deleted.
The hijack installed a stylesheet that used a flaw in Internet Explorer and allowed
a .css stylesheet file to execute Javascript code. The code in the file was encrypted,
and spawned a popup off-screen that did the redirecting. However, this file was called
on almost every action taken in IE, slowing it down - this was the most obvious when
typing text.
|
|
|
CWS.Bootconf
|
Variant 2: CWS.Bootconf - Evolution
Approx date first sighted:
July 6, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=7821
Symptoms: Massive IE slowdown, illegible URLs ie IE Options, redirections
when mistyping URLs, startpage & search page changed on reboot
Cleverness: 8/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://%77%77%77%2e
%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e
%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://%77%77%77%2e%63
%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%63/%78%31%2e
%63%67%69?%36%35%36%33%38%37
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://%77%77%77%2e%
63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%62/%78%31%2e
%63%67%69?%36%35%36%33%38%37
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://%77%77%77%2e
%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e
%63%67%69?%36%35%36%33%38%37 about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://yourbookmarks.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchxp.com/search.php?qq=%s
O1 - Hosts: 1123694712 auto.search.msn.com
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O19 - User stylesheet: C:\WINNT\default.css
|
After HijackThis had built-in support for decrypting the URLS:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwwwsearch.com/z/b/x1.cgi?100 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.coolwwwsearch.com/z/c/x1.cgi?100 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwsearch.com/z/a/x1.cgi?100 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.jetseeker.com/ffeed.php?term=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://search.xrenoder.com
|
The second variant seemed like the first one in only one way: it used the exact same
.css stylesheet file. But it took the hijack one step further by not only changing the
IE startpage and search pages, but changing them to illegible hexcode garbage.
Only when this code was decyphered it became clear that CoolWebSearch was behind this
all. It almost seemed as if they let Datanotary take the stylesheet exploit hijack for
a test ride, before using it themselves.
The hijack further involved redirecting the default 'server not found' page to the
CoolWebSearch portal homepage by editing the Hosts file, and reloading the entire
hijack when the machine was rebooted using a bootconf.exe file that was started with
Windows. We also started to see some pages which seemed affiliates of CWS since almost
all their links led to www.coolwebsearch.com.
|
|
|
CWS.Oslogo
|
Variant 3: CWS.OSLogo.bmp - Send in the affiliates
Approx date first sighted:
July 10, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=8210
Symptoms: Massive IE slowdowns
Cleverness: 2/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwsearch.com/z/a/ x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwsearch.com/z/b/ x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://stopxxxpics.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/ redir?lang={S...201058341631385
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.coolwwwsearch.com/z/a/ x1.cgi?656387 (obfuscated)
O1 - Hosts: 1123694712 auto.search.msn.com
O4 - HKLM\..\Run: [sysPnP] C:\WINNT\System32\bootconf.exe
O15 - Trusted Zone: *.coolwwwsearch.com
O15 - Trusted Zone: *.msn.com
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
|
After HijackThis was updated for a few tricks CWS used, a new variant surfaced that
showed CWS was just getting started. The filename of the user stylesheet changed into
one that didn't even look like a stylesheet on the outside, but got accepted by IE
anyway. Two domains were added to the Trusted Zone to ensure CWS could do its dirty
work and install any updates if they ever became available.
But most of all, IE start and search pages started getting changed to several dozen
different sites that were all affiliated to CWS. There didn't seem to be an end to the
flow of different domains users were hijacked to. When I write this, over 80 domains
are known CWS affiliates - and all appeared in users' logs.
|
|
|
CWS.Msspi
|
Variant 4: CWS.Msspi - Let's get dangerous
Approx date first sighted:
July 28, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=9170
Symptoms: Popups with 'enhanced results' when doing searches on Google,
Yahoo and Altavista
Cleverness: 9/10
Manual removal difficulty: Impossible, I kid you not
Identifying lines in HijackThis log:
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
|
At about this time, the variant appeared that was the hardest to remove. Users started
reporting that when they went to Google, Yahoo or Altavista to search for something,
popups appeared that (most of the time) advertised bogus 'enhanced results'. This
was the one and only symptom.
After looking over the log, it was quickly concluded the msspi.dll file was to blame.
One expert took the file apart and found several key URLs that were monitored, and
when he changed them to bogus URLs the popups were gone.
However, the file hooked into the Winsock LSP chain, which lies very deep into the
bowels of Windows and is one of the hardest parts of Windows to manipulate. Only
a very small selection of spyware used this method of infection, and incorrect
removal left a computer with a broken Internet connection that could not be fixed
even by reinstalling Windows.
Luckily there were one or two tools that could fix a broken Internet connection due to
this problem. LSPFix was the one used most
since it allowed direct editing of the LSP chain.
|
|
|
CWs.Vrape
|
Variant 5: CWS.Vrape - Mix and mangle
Approx date first sighted:
July 20, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=9067
Symptoms: Redirections to vrape.hardloved.com on virtually anything done
in IE, as well as redirections to adult sites, dialers, etc
Cleverness: 5/10
Manual removal difficulty: Involves lots of Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/ top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:// vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http:// vrape.hardloved.com/top/search.php?id=2&s=
O1 - Hosts: 65.77.83.222 thehun.com
O1 - Hosts: 65.77.83.222 thehun.net
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s=
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s=
|
Perhaps the most widely spread variant of CoolWebSearch, this one was a nightmare for
the average user. It combined several hijacking methods, along with random redirections
to porn pages, portals and even adult dialers.
The hijack covered most of IE, and a user was left to sit helplessly and watch as almost
his every move was redirected to vrape.hardloved.com. One strange thing about this hijack
though, is that it operated alone: it didn't use any affiliates and even redirected other
adult sites to its own site. It has only been connected with CWS since it appeared
together with it in a few logs.
The only good thing about this variant is that the domain hardloved.com has been offline
for more than half a week at the time of writing. It is unknown whether this is because
of the sheer amount of users being routed to their site, DoS attacks by irate users,
account termination because of violation of their host's user agreement, or something else.
|
|
|
CWS.Oemsyspnp
|
Variant 6: CWS.Oemsyspnp - Pure genius
Approx date first sighted:
July 29, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=8643
Symptoms: Start page/search pages changed to allhyperlinks.com,
activexupdate.com in the IE Trusted Zone, reloading of the hijack on some
reboots.
Cleverness: 10/10
Manual removal difficulty: Involves a bit of Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adulthyperlinks.com/favorites/8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
O4 - HKLM\..\Run: [SysPnP] rundll32 setupapi,InstallHinfSection OemVideoPnP 128 oemsyspnp.inf
|
This variant was spotted nearly by sheer luck, since it used the same Registry value as
the second variant (Bootconf) 'SysPnp'. This was a very clever hijack that disguised
itself as a driver update. When the computer was started, there was a 1 in 5 chance
the hijack was re-installed and changed the IE start page and search pages to
allhyperlinks.com.
However, once the hijack was identified, it was easy to stop: only the autostarting
oemsyspnp.inf file had to be disabled using MSConfig, and then it could be safely
deleted.
CWS.Oemsyspnp.2:
A mutation of this variant exists that uses the filename
keymgr3.inf, and the Registry value keymgrldr instead.
CWS.Oemsyspnp.3:
A mutation of this variant exists that uses the filename
drvupd.inf, and the Regustry value drvupd instead.
It hijacks to searchforge.com.
|
|
|
CWS.Svchost32
|
Variant 7: CWS.Svchost32 - Evading detection
Approx date first sighted:
August 3, 2003
Log reference:
http://boards.cexx.org/viewtopic.php?t=1027
Symptoms: Redirections to slawsearch.com when accessing Google, searching on
Yahoo or mistyping an URL
Cleverness: 10/10
Manual removal difficulty: Involves a process killer
Identifying lines in HijackThis log:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.slawsearch.com
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\SYSTEM\svchost32.exe"
|
This variant of CWS was focused on only evading existing detection tools. What was visible
in a HijackThis log wasn't nearly all of it. The hijack installed dozens of redirections
from international Google domains, MSN and Yahoo search engines to a webserver running
at the user's own machine. The webserver even had the seemingly unsuspicious filename
of 'svchost32.exe' to look like the Windows system file 'svchost.exe'. Anytime a user
accessed Google, searched with Yahoo or mistyped an URL, he was redirected to
slawsearch.com.
Fixing this hijack involved using a process killer to stop the webserver process, and
editing the Hosts file to remove the Google/Yahoo/MSN redirections.
|
|
|
CWS.Dnsrelay
|
Variant 8: CWS.DNSRelay - Hey, that wasn't here before!
Approx date first sighted:
August 7, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=9074
Symptoms: Redirections to allhyperlinks.com when omitting 'www' from an
URL typed in IE
Cleverness: 8/10
Manual removal difficulty: Involves lots of Registry editing
Identifying lines in HijackThis log:
|
R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - C:\WINDOWS\System32\dnsrelay.dll
|
A very clever hijack that uses a method never used before by any other hijacker, this
variant monitored all URLs entered into the IE Address bar, and redirected any URLs
starting without 'www' to allhyperlinks.com. The hijack isn't very widespread, and is
also pretty hard to spot. Luckily, fixing it requires only deleting one Registry value
and one file.
CWS.Dnsrelay.2:
A mutation of this variant exists which uses the filename
ASTCTL32.OCX instead.
CWS.Dnsrelay.3:
A mutation of this variant exists which uses the filename
mswsc10.dll instead, which is located in C:\Program
Files\Common Files\Web Folders. It hijacks IE to payfortraffic.net.
It also adds a custom stylesheet (like CWS.Bootconf)
located at C:\Program Files\Internet Explorer\Readme.txt.
(This file is not present on uninfected systems.) It uses a Registry value
named nvstart to re-register the main
mswsc10.dll file on startup.
CWS.Dnsrelay.4:
A mutation of this variant exists that is like CWS.Dnsrelay.3,
but uses the filename mswsc20.dll instead, located at the same
place. It hijacks IE to gofreegalleries.com, adds the same custom stylesheet, and
uses the hosts file to hijack numerous sites to allhyperlinks.com.
|
|
|
CWS.Msinfo
|
Variant 9: CWS.Msinfo - running out of ideas
Approx date first sighted:
August 22, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=9933
Symptoms: Redirection to Global-Finder.com, hijack reappearing when
rebooting, possible errors about a missing file 'msinfo.exe'.
Cleverness: 6/10
Manual removal difficulty: Involves lots of Registry editing and some
.ini file editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://out.true-counter.com/c/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?101 (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe
F1 - win.ini: run=msinfo.exe
O4 - HKLM\..\Run: [Internat Conf] \bootconf.exe
|
This variant, using a file called 'msinfo.exe' to reinstall the hijack on a reboot,
appears to have several versions. The first one seemed to malfunction often,
as seen in the 'first sighted' link where the file wasn't actually installed, but
the reference to it was. The second version probably fixed this a few days later,
since people started surfacing that had been hijacked by this thing. Lastly, the
third version appeared together with a slightly mutated variant #2 (bootconf.exe).
The MSINFO.EXE is installed in a Windows folder where also the legitimate MSINFO32.EXE
file resides. It is ran from win.ini, a method rarely used by programs nowadays. It
sets nearly all Start and Search pages from IE to URLs at out.true-counter.com, and
reinstates these whenever the system is restarted. Fixing this variant involves
resetting all the Registry values changed for IE, editing the autorun values in
win.ini and the Registry, and deleting the two files.
|
|
|
CWS.Ctfmon32
|
Variant 10: CWS.Ctfmon32 - SlawSearch part II
Approx date first sighted:
September 22, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=11886
Symptoms: Start page and Search pages changed to www.slawsearch.com,
'Customize Search Assistant' closing after opening it, hijack coming back after
a reboot.
Cleverness: 3/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.slawsearch.com/autosearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slawsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.slawsearch.com/autosearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = javascript:window.close()
O4 - HKLM\..\Run: [CTFMON32.EXE] "C:\WINDOWS\System32\ctfmon32.exe"
|
This variant surfaced after a quiet time. CWShredder could fix it,
but it would return after rebooting the computer. Apart from the new
filename 'CTFMON32.EXE' (note that 'CTFMON.EXE' is the real Windows
system file) it worked pretty much the same way as CWS.Bootconf:
the file loads at startup, resetting homepages and search pages, and
then closes. Deleting the file and changing everything back to normal
fixes it.
|
|
|
CWS.Tapicfg
|
Variant 11: CWS.Tapicfg - Msinfo part 2
Approx date first sighted:
September 21, 2003
Log reference:
http://boards.cexx.org/viewtopic.php?t=2075
Symptoms: Slow scrolling in IE, redirections to luckysearch.net, hijack
returning on reboot, info32.exe errors.
Cleverness: 8/10
Manual removal difficulty: Involves quite
some Registry editing, win.ini editing and hosts file editing. The style sheet
files are marked read-only, system and hidden.
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/--- /?oaoca (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/-- /?oaoca (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
O1 - Hosts: 3510794918 auto.search.msn.com
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\SYSTEM\tapicfg.exe
O19 - User stylesheet: C:\WINDOWS\Web\win.def
O19 - User stylesheet: C:\WINDOWS\default.css
|
This hijack consists of only one file, that duplicates itself in two places (info32.exe
and tapicfg.exe) and acts different depending on its filename. It drops two
style sheets on the system, hijacks to acc.count-all.com which redirects to luckysearch.net,
and reinstalls the hijack on each reboot. The hosts file redirection also hijacks any
mistyped domains to luckysearch.net.
Though a file determining its actions depending on the filename is very bad programming,
it surprised me somewhat because it works so well.
CWS.Tapicfg.2:
A mutation of this variant exists that uses the filename soundmx.exe,
and hijacks IE to globe-finder through a redirection page at in.webcounter.cc. Possibly the same
file is loaded as fntldr.exe from WIN.INI. A hosts file redirection of
auto.search.msn.com to globe-finder is installed. Two custom stylesheets named
tips.ini and hh.htt are installed.
|
|
|
CWS.Svcinit
|
Variant 12: CWS.Svcinit - Sneaky little fellow
Approx date first sighted:
September 10, 2003
Log reference: Reconstruction
Symptoms: Homepage changed to xwebsearch.biz and 'http:///',
hijack returning on reboot or even sooner.
Cleverness: 9/10
Manual removal difficulty: Involves lots of Registry editing,
ini file editing and a process killer.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\System32\SVCINIT.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:////
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://xwebsearch.biz
F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O4 - HKLM\..\RunServices: [SVC Service] C:\WINDOWS\SYSTEM\svcinit.exe
O4 - HKLM\..\Run: [mssys] C:\WINDOWS\mssys.exe
|
Additional identifying line in StartupList log:
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon]
UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\System32\svcinit.exe
|
This variant was somewhat surprising, because fixing all the items in HijackThis
didn't remove it completely - it came back after a reboot (on Windows 2000 and XP).
Only after a user had posted a StartupList log it became clear that this hijacker
used another additional method of running at boot, besides the two visible in
the HijackThis log. Terminating the running process, and deleting the three
autorun values fixed it. Also, mssys.exe is possibly involved
in this hijack.
CWS.Svcinit.2:
A mutation of this variant exists, which uses the filename
svcpack.exe instead. It hijacks to http:/// (sic) and uses the same
autostarting methods as the first version. Possibly it also drops the file
SVCHOST.OLD for unknown purposes.
CWS.Svcinit.3:
Possibly, a mutation of this variant exists, which hijacks to xwebsearch.biz and
http:/// (sic), as well as installing a hosts file redirection of several dialer sites
to searchmeup.com.
CWS.Svcinit.4:
A mutation of this variant exists, that hijacks IE to sex.free4porno.net, and adds porn bookmarks
to the IE Favorites and on the desktop. It reinstalls from a file
c:\windows\svchost.exe (not a valid Windows system file, which is in the system32 folder),
running at startup using the name Online Service. It also uses the
trojan file msin32.dll for unknown reasons.
|
|
|
CWS.Msoffice
|
Variant 13: CWS.Msoffice - HTA exploit revisited
Approx date first sighted:
October 12, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=13362
Symptoms: Homepage changed to searchdot.net, hijack coming back
after a reboot, slow scrolling and text typing in IE.
Cleverness: 7/10
Manual removal difficulty: Involves some Registry editing,
and using a command prompt to delete the files.
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
O4 - HKCU\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta
|
This variant uses a .hta script file to reinstall the hijack on a reboot. The msoffice.hta file is hard to find because the Fonts folder
is a special folder for Windows, setup to hide all files in it that are not font files.
Thus, a command prompt is needed to be able to see and delete the file. Deleting the
file and resetting the IE home and search pages fixes the hijack.
CWS.Msoffice.:2
A mutation of this variant exists that hijacks IE to sexpatriot.net and royalsearch.net,
installs a hosts file hijack of two porn sites to 64.246.33.179, and reinstalls through
a file named fonts.hta using the name AdobeFonts.
CWS.Msoffice.:3
A mutation of this variant exists that hijacks IE to supersearch.com and hugesearch.net,
and reinstalls through a file named fonts.hta using the name TrueFonts. It also changes the DefaultPrefix and WWW Prefix to redirect
all URLs through hugesearch.net.
|
|
|
CWS.Dreplace
|
Variant 14: Dreplace - Just a BHO... OR IS IT?
Approx date first sighted:
October 12, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=13497
Symptoms: Redirections to xwebsearch.biz and 213.159.117.233,
hijack returning on reboot
Cleverness: 3/10 , 10/10 on second version
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://xwebsearch.biz/
O1 - Hosts: 213.159.117.233 sitefinder.verisign.com
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} -
C:\WINDOWS\System32\DReplace.dll
|
This variant installs a BHO with unknown purpose, though it's probable the BHO is
there to ensure xwebsearch.biz is set as your homepage on reboot. It redirects the
Verisign Sitefinder, so all mistyped domains are redirected to 213.159.117.233.
CWS.Dreplace.2: There is a second version of this variant that
used the most dastardly trick I have ever seen in a piece of malware. It changed the
dreplace.dll so fixing it with either HijackThis or CWShredder
will cause your entire system to fail on Windows 98, 98SE and ME! The hijack is
the same as the first version for almost all other aspects, and both HijackThis and
CWShredder have been updated to circumvent the problem.
|
|
|
CWS.Mupdate
|
Variant 15: Mupdate - Turning up everywhere
Approx date first sighted:
October 13, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=13613
Symptoms: Homepage changing to searchv.com, redirections to runsearch
when mistyping URLs, *.masspass.com in the Trusted Zone, hijack returning
on a reboot.
Cleverness: 9/10
Manual removal difficulty: Involves some Registry editing and
lots of ini file editing.
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchv.com/search.html
F0 - system.ini: Shell=explorer.exe mupdate.exe
F1 - win.ini: run=mupdate.exe
F2 - REG:system.ini: Shell=explorer.exe mupdate.exe
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O15 - Trusted Zone: *.masspass.com
|
This variant isn't very common, but it makes up for this by being very persistent
in its existance. It's ran from 3 places at boot, as well as merging a .reg file
that reinstalls the hijack, and adding an adult site to the Trusted Zone. It also
redirects any mistyped domains to runsearch.com.
|
|
|
CWS.Addclass
|
Variant 16: CWS.Addclass - Halloween edition
Approx date first sighted:
October 30, 2003
Log reference:
http://forums.techguy.org/showthread.php?threadid=175680
Symptoms: Redirections through ehttp.cc before reaching pages,
IE homepage/searchpage changing to rightfinder.net, hijack returning on
reboot.
Cleverness: 4/10
Manual removal difficulty: Involves lots of Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rightfinder.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rightfinder.net/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rightfinder.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rightfinder.net/search/
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\TEMP\ADDCLASS.EXE
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
|
This one just surfaced when a sample (and thus a CWShredder update) was found for it.
The hijack involves AddClass.exe installing the hijack and reinstalling it on reboot.
It also changes the DefaultPrefix, WWW Prefix and a non-functional 'www.' prefix
which makes each URL you type without 'http://' in front of it redirect through
ehttp.cc before reaching the correct destination. IOW, they log everywhere you go.
Luckily they are even kind enough to provide a uninstall for this
'Enhanced HTTP protocol' at their site here. This will only
partially remove CWS.Addclass though.
|
|
|
CWS.Googlems
|
Variant 17: CWS.Googlems - We have a payload!
Approx date first sighted:
November 1, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=16643
Symptoms: IE pages changed to http://www.idgsearch.com/,
hijack reinstalled on reboot and when running Windows Media Player.
Cleverness: 7/10
Manual removal difficulty: Involves some Registry editing,
and reinstalling Windows Media Player
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.idgsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.idgsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.idgsearch.com/
O2 - BHO: GoogleMS Search Helper - {79369D5C-2903-4b7a-ADE2-D5E0DEE14D24} -
C:\Documents and Settings\[username]\Application Data\GoogleMS.dll
|
This variant is first of its kind, since an important development was observed here:
the Windows Media Player executable was deleted and replaced by the trojan. This
file reinstalled the hijack when ran. No other variants modify or delete system files,
but this one seems to.
It also installs a BHO that reinstalls hijack on a reboot. Deleting GoogleMS.dll and
reinstalling Windows Media Player fixes the hijack.
CWS.Googlems.2:
A mutation of this variant exists that hijacks IE to idgsearch.com and 2020search.com,
installs a BHO named 'Microsoft SearchWord' using the filename SearchWord.dll
in the same location as the first version. It also adds *.xxxtoolbar.com
to the Trusted Zone.
CWS.Googlems.3:
A mutation of this variant exists that hijacks IE to idgsearch.com, installs a BHO named
'Microsoft SearchWord' using the filename Word10.dll in the location
C:\Documents And Settings\[username]\Application Data\Microsoft\Office.
This version can also be loaded by a fake Notepad.exe file in the
Windows system folder. The fake file has an icon different from the default notepad one.
CWS.Googlems.4:
A mutation of this variant exists that hijacks IE to idgsearch.com, 2020search.com and
possibly coundnotfind.com. It installs a hosts file hijack to 69.56.223.196 (idgsearch.com),
redirecting from several CWS affiliate domains (!), one Lop.com domain, one misspelled Spywareinfo
domains (hehe) and several porn domains. It installs a BHO named 'Microsoft Excel' using the filename
Excel10.dll, located at the same place as the third mutation. It also adds
*.xxxtoolbar.com and *.teensguru.com to the Trusted Zone.
|
|
|
CWS.Xplugin
|
Variant 18: CWS.Xplugin - 'Helping' you search the web
Approx date first sighted:
November 11, 2003
Log reference:
Not visible in HijackThis log!
Symptoms: Some links in Google results redirecting to
umaxsearch.com or coolwebsearch.com every now and then
Cleverness: 10/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
|
Not visible in HijackThis log!
|
This variant is the first one that is not visible in a HijackThis log. It
works invisible, changing links from Google search results to other pages.
It took a while to find out how this variant works, since it doesn't use
any of the standard locations.
A file xplugin.dll is installed, which creates a new
protocol filter for text/html. In normal english, this
means it reads most of the web pages downloaded to your browser. It also
randomly alters some links in Google search results to pages on umaxsearch.com
and coolwebsearch.com. It claims to be made by something called TMKSoft.
It is unknown if deleting the file has no side-effects, but using CWShredder or
running regsvr32 /u c:\windows\system32\xplugin.dll
(may vary depending on Windows version) fixes the hijack completely.
|
|
|
CWS.Alfasearch
|
Variant 19: CWS.Alfasearch - Child's Play
Approx date first sighted:
November 5, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=16730
Symptoms: IE pages changed to alfa-search.com, possibly porn sites
being redirected to 216.200.3.32 (alfa-search.com), error message about a 'runtime
error' at startup, 4 porn bookmarks added to favorites (one possible child porn).
Cleverness: 1/10
Manual removal difficulty: Involves a little Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alfa-search.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html
O4 - Global Startup: MSupdate.exe
|
Possibly the most simple CWS variant since CWS.Datanotary, this
hijack only does the basic stuff: changes your IE homepage and search pages, adds porn
bookmarks, and pops up a bogus error message at startup.
Deleting MSupdate.exe from the All Users Startup group, deleting
the porn bookmarks and resetting the IE homepage and search pages fixed the hijack.
The MSupdate.exe file is capable of installing a hosts file hijack
as well, but doesn't seem to do this.
CWS.Alfasearch.2:
A mutation of this variant exists, that hijacks IE to www.find-itnow.com, drops 7 porn bookmarks
in the IE Favorites, and causes error messages concerning 'Win Min' at system shutdown, as well
as bogus runtime errors at system startup. It drops a fake Winlogon.exe
file in the 'All Users' Startup group of the Start Menu, or in the Startup group of the current
user. The file is always running, and hard to remove. If CWShredder repeatedly reports removing
this variant, it cannot remove winlogon.exe. To remove this file
manually, move it out of the Startup folder, restart, and then delete the file.
CWS.Alfasearch.3:
A mutation of this variant exists, that hijacks IE to www.alfa-search.com, and reinstalls by
running an encryped VBS script from three places in the Registry, named rundll32.vbe
using the name Windows Security Assistant. It also installs a
custom stylesheet named readme.txt in the Windows sytem folder, drops
9 porn bookmarks in the IE Favorites and 6 on the desktop, and installs a hosts file hijack of
8 major search engines and one porn site to 64.124.222.169 (alfa-search.com).
|
|
|
CWS.Loadbat
|
Variant 20: CWS.Loadbat - Dastardly
Approx date first sighted:
November 1, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=16132
Symptoms: DOS window flashing by at system startup, IE pages
being hijacked to ie-search.com, redirection to 'FLS' or Umaxsearch when
mistyping URLs or visiting porn sites
Cleverness: 9/10
Manual removal difficulty: Involves some Registry editing and
deleting a few files
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-search.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\windows\hp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
O1 - Hosts: 206.161.200.105 auto.search.msn.com
O1 - Hosts: 206.161.200.105 sitefinder.verisign.com
O1 - Hosts: 206.161.200.105 sitefinder-idn.verisign.com
O1 - Hosts: 206.161.200.103 www.smutserver.com
O1 - Hosts: 206.161.200.103 www1.smutserver.com
O1 - Hosts: 206.161.200.103 www2.smutserver.com
[...]
O1 - Hosts: 206.161.200.103 www29.smutserver.com
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [Win64 Compatibility Check] load win64.drv /c /set -- by windows setup --
|
Overlooked at first, this CWS variant used a clever way of reloading the hijack by
making it look like some other file (shell.dll or win64.drv) was doing it, when in
fact it was just a LOAD.BAT file merging a .reg file.
The second variant added a hosts file hijack of auto.search.msn.com and the Verisign
Sitefinder to something called 'FLS' that linked to Umaxsearch, as well as hijacking
smutserver.com domains to another porn site.
To remove this manually, killing the autostarts and removing hp.htm
, load.bat and srch.reg from
the Windows folder along with resetting the IE homepage/search page is enough.
|
|
|
CWS.Qttasks
|
Variant 21: CWS.Qttasks - Even more simple than CWS.Alfasearch
Approx date first sighted:
November 23, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=18331
Symptoms: IE pages being changed to start-space.com
Cleverness: 2/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start-space.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start-space.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.start-space.com/
O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe
|
Mimicking the legit 'QuickTime Task' autorun entry in the Registry (which is in the
HKLM hive), this variant loaded at startup and changed only the Start Page to
start-space.com. That's it. I'm serious. *Yawn*
|
|
|
CWS.Msconfd
|
Variant 22: CWS.Msconfd - Finally using rundll32
Approx date first sighted:
November 26, 2003
Log reference: Reconstruction, local test
Symptoms: IE pages being changed to webcoolsearch.com,
bogus error message about msconfd.dll at startup, porn bookmarks added to
Favorites (some possibly childporn)
Cleverness: 7/10
Manual removal difficulty: Involves quite some Registry editing
and deleting porn bookmarks, plus struggling to unload the dll which is always in memory
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://webcoolsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://webcoolsearch.com/
O4 - HKLM\..\RunServices: [Desktop] rundll32.exe msconfd,Restore ControlPanel
|
Additional line from StartupList log:
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=msconfd.dll
|
This is the first variant to use a dll file together with the Windows rundll32 file.
This makes it a little harder to find the culprit msconfd.dll,
responsible for hijacking IE to webcoolsearch.com and adding 11 adult bookmarks to IE,
of which 4 are possibly child porn sites.
Deleting the autorun entry, resetting IE and deleting the porn bookmarks fixes most
of the hijack. Removing msconfd.dll involves renaming the file,
restarting the system and deleting the renamed file.
CWS.Msconfd.2:
A mutation of this variant exists, that uses the filename avpcc.dll
or ctrlpan.dll that hooks into Windows in the same way as the
first version. This version also deletes all the bookmarks in the IE Favorites folder,
before replacing them with porn bookmarks.
CWS.Msconfd.3:
A mutation of this variant exists, that uses the filename cpan.dll.
|
|
|
CWS.Therealsearch
|
Variant 23: CWS.Therealsearch - Misery travels in pairs
Approx date first sighted:
November 29, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=19137
Symptoms: IE pages changed to therealsearch.com, porn bookmarks
added to IE Favorites, porn sites appearing in IE autocomplete
Cleverness: 4/10
Manual removal difficulty: Involves lots of Registry editing,
a process killer, and deleting bookmarks
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\quicken.exe
C:\WINDOWS\editpad.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.therealsearch.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.therealsearch.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.therealsearch.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.therealsearch.com/sp.php
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe
|
This variant of CWS appeared to be worse than it actually was at first. Since it had
two running processes, it looked like the Peper virus, that
was very hard to remove. Luckily these two processes didn't behave like that. The
smallest one quicken.exe downloaded and ran the second one
editpad.exe (like CWS.Aff.Iedll does)
and hijacked IE to therealsearch.com, as well as setting themselves to run at startup.
To remove this variant a process killer is needed to kill editpad.exe and quicken.exe and deleting
the files, as well as resetting the IE homepage/search pages and possibly removing
CWS.Aff.Tooncomics.2 which can be downloaded by this variant.
CWS.Therealsearch.2:
There is a mutation of this variant that hijacks to my.search (sic), that also the filenames
c:\windows\winrar.exe and c:\windows\waol.exe.
|
|
|
CWS.Control
|
Variant 24: CWS.Control - Dude, where's my Control Panel?
Approx date first sighted: December 7, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=23210
Symptoms: IE pages changed to windoww.cc, super-spider.com and search2004.net
Cleverness: 3/10
Manual removal difficulty: Involves some Registry editing, and restoring
a file from the Windows Setup CD for Windows 9x/ME
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/ sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/ sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/ hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://super-spider.com
O4 - HKCU\..\Run: [Windows Control] C:\WINDOWS\CONTROL.EXE
O4 - HKCU\..\RunServices: [Windows Control] C:\WINDOWS\CONTROL.EXE
|
This variant is fairly simple, if it wouldn't drop a file in the Windows folder that overwrites
a system file in Windows 9x/ME - it is possible your Control Panel will not be functioning normally
after being infected with this CWS variant, and you need to use the System File Checker (SFC.EXE)
to restore control.exe from your Windows Setup CD. Windows NT/2000/XP does
not have this problem with this variant.
CWS.Control.2:
A mutation of this variant exists that is identical in every way, but where control.exe always stays in memory.
CWS.Control.3:
A mutation of this variant exists that uses random filenames and random startups.
|
|
|
CWS.Olehelp
|
Variant 25: CWS.Olehelp - Who wants some bookmarks?
Approx date first sighted:
January 4, 2004
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=27573
Symptoms: IE hijacked to omega-search.com, lots and lots of bookmarks
added to IE Favorites
Cleverness: 3/10
Manual removal difficulty: Involves a little bit of Registry editing,
and deleting lots of files
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\OLEHELP.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.omega-search.com/go/panel_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.omega-search.com/go panel_search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.omega-search.com/go/panel_search.html
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\olehelp.exe
|
This variant is pretty simple. It autoruns a file named olehelp.exe
at startup from the Registry, which changes the IE homepage/search page to omega-search.com,
and adds a mind-boggling 107 bookmarks to the IE Favorites, of which 14 are porn.
Killing the autostart and deleting the file + bookmarks fixes this.
|
|
|
CWS.Smartsearch
|
Variant 26: CWS.Smartsearch - Counter-counter-actions
Approx date first sighted:
January 7, 2004
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=26148
Symptoms: IE hijacked to smartsearch.ws, redirections to smartsearch.ws
when entering incomplete URLs into the address bar, antispyware programs closing without
reason only a few seconds after opening them
Cleverness: 5/10
Manual removal difficulty: Involves a process killer, lots of
registry editing and deleting a few files.
Identifying lines in HijackThis log:
Running processes:
C:\Program Files\directx\directx.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
O4 - HKLM\..\Run: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKLM\..\RunServices: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKCU\..\Run: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKLM\..\RunServices: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKCU\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O13 - DefaultPrefix: http://smartsearch.ws/?q=
O13 - WWW Prefix: http://smartsearch.ws/?q=
|
This variant is mostly hard to spot since it can use over a dozen different filenames, luckily
all with the same registry value. The file is always running and reinstalls the hijack to
smartsearch.ws every
10 seconds. Killing the trojan process, deleting/restoring all the Registry values it added
or changed and deleting its files fixed the hijack.
CWS.Smartsearch.2:
A mutation of this variant exists that attempts to close CWShredder, HijackThis, Ad-Aware,
Spybot S&D and the SpywareInfo forums when they are opened. It uses the filename
IEXPLORER.EXE (note the extra 'R') and a different Registry value. It drops a hosts file
that blocks over two dozen anti-spyware sites. CWShredder has been updated to circumvent this.
CWS.Smartsearch.3:
A mutation of this variant exists that uses the startup 'coolwebprogram', and attempts to
close CWShredder, HijackThis, Ad-Aware, Spybot S&D and the SpywareInfo forums when they are
opened. It also drops notepad32.exe and hijacks the .txt and .log
filetypes to open with this file (before showing it in the real Notepad), reinstalling the hijack.
CWS.Smartsearch.4:
A mutation of this variant exists that hijacks to magicsearch.ws instead
of smartsearch.ws, uses the startup 'MicrosoftWindows' and also drops the
notepad32.exe Notepad hijacker like CWS.Smartsearch.3. It also hijacks the DefaultPrefix
and WWW Prefix to magicsearch.ws like CWS.Vrape and attempts to kill several
firewalls, including (but not limited to) ZoneAlarm and Kerio Personal Firewall.
Known filenames used by this variant:
C:\Program Files\directx\directx.exe
C:\Program Files\Common Files\System\systeem.exe
C:\Windows\explore.exe (note the missing 'r')
C:\Windows\System\internet.exe
C:\Windows\Media\wmplayer.exe
C:\Windows\Help\helpcvs.exe
C:\Program Files\Accessories\accesss.exe
C:\Games\systemcritical.exe
C:\Documents Settings\sistem.exe
C:\Program Files\Common Files\Windows Media Player\wmplayer.exe
C:\Windows\Start Menu\Programs\Accessories\Game.exe
C:\Windows\sistem.exe
C:\Windows\System\RunDll16.exe
C:\Windows\iexplorer.exe (note the extra 'i' or the extra 'r')
C:\y.exe
C:\x.exe
c:\funny.exe
c:\funniest.exe
c:\Windows\notepad32.exe
C:\Windows\system\kazaa.exe
C:\Windows\system32\kazaa.exe
C:\Program Files\Common Files\Services\iexplorer.exe
C:\Program Files\Common Files\Services\explore.exe
C:\Program Files\Common Files\Services\exploreer.exe
C:\Program Files\Common Files\Services\sistem.exe
C:\Program Files\Common Files\Services\critical.exe
C:\Program Files\Common Files\Services\directx.exe
C:\Program Files\Common Files\Services\internet.exe
C:\Program Files\Common Files\Services\window.exe
C:\Program Files\Common Files\Services\winmgnt.exe
C:\Program Files\Common Files\Services\clrssn.exe
C:\Program Files\Common Files\Services\explorer32.exe
C:\Program Files\Common Files\Services\win32e.exe
C:\Program Files\Common Files\Services\directx32.exe
C:\Program Files\Common Files\Services\uninstall.exe
C:\Program Files\Common Files\Services\volume.exe
C:\Program Files\Common Files\Services\autorun.exe
C:\Program Files\Common Files\Services\users32.exe
C:\Program Files\Common Files\Services\notepad.exe
C:\Program Files\Common Files\Services\win64.exe
C:\Program Files\Common Files\Services\inetinf.exe
C:\Program Files\Common Files\Services\time.exe
C:\Program Files\Common Files\Services\systeem.exe
c:\Windows\system32\iexplorer.exe
c:\Windows\system32\explore.exe
c:\Windows\system32\exploreer.exe
c:\Windows\system32\sistem.exe
c:\Windows\system32\critical.exe
c:\Windows\system32\directx.exe
c:\Windows\system32\internet.exe
c:\Windows\system32\window.exe
c:\Windows\system32\winmgnt.exe
c:\Windows\system32\clrssn.exe
c:\Windows\system32\explorer32.exe
c:\Windows\system32\win32e.exe
c:\Windows\system32\directx32.exe
c:\Windows\system32\uninstall.exe
c:\Windows\system32\volume.exe
c:\Windows\system32\autorun.exe
c:\Windows\system32\users32.exe
c:\Windows\system32\win64.exe
c:\Windows\system32\inetinf.exe
c:\Windows\system32\time.exe
c:\Windows\system32\systeem.exe
|
|
|
CWS.Yexe
|
Variant 27: CWS.Yexe - Whatever
Approx date first sighted:
January 17, 2004
Log reference:
http://forums.tomcoyote.org/index.php?showtopic=3174
Symptoms: IE start page hijacked to search.thestex.com
Cleverness: 2/10
Manual removal difficulty: Involves deleting some Registry values and
keys, deleting one folder and restoring the IE homepage
Identifying lines in HijackThis log:
F1 - win.ini: run=C:\WINNT\system32\services\y.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System\services\1.00.07.dll
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\y.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\y.exe
|
This variant uses a filename often seen as installer for either CWS or Lop.com (y.exe), but uses
it as the actual hijacker file. It loads from win.ini as well as system.ini in a weird
way that shouldn't even work, and installs a BHO with seemingly the purpose to react
to certain keywords on webpages. Removing the BHO and the autorunning y.exe file
fixes this hijack.
CWS.Yexe.2:
Possibly a mutation of this variant exists that uses the filename
services.exe instead of y.exe.
|
|
|
CWS.Gonnasearch
|
Variant 28: CWS.Gonnasearch - Three for the price of one
Approx date first sighted:
January 18, 2004
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=28344
Symptoms: IE hijacked to gonnasearch.com
Cleverness: 2/10
Manual removal difficulty: Involves deleting some registry keys and values
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/ iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/ iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/ iesearch.php?ref=sb
O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: (no name) - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
|
This variant differs from the others in that it installs not one, but three (!) BHOs. Their exact
purpose is unknown. Killing the three BHOs and restoring the IE pages fixed this hijack.
|
|
|
CWS.Smartfinder
|
Variant 29: CWS.Smartfinder - Turning over new stones
Approx date first sighted:
January 11, 2004
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=27673&hl=nkvd\.us
Symptoms: IE hijacked to nkvd.us and smart-finder.biz, redirections to
nkvd.us and smart-finder.biz when typing incomplete URLs into address bar.
Cleverness: 10/10
Manual removal difficulty: Involves some registry editing, and renaming
the trojan file, restarting, and deleting it
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nkvd.us/s.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nkvd.us/s.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nkvd.us/1507/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nkvd.us/s.htm
O13 - DefaultPrefix: http://www.nkvd.us/1507/
O13 - WWW Prefix: http://www.nkvd.us/1507/
O13 - Home Prefix: http://www.nkvd.us/1507/
O13 - Mosaic Prefix: http://www.nkvd.us/1507/
|
Additional line in StartupList log:
Enumerating ShellServiceObjectDelayLoad items:
DDE Control Module: C:\WINDOWS\SYSTEM\mtwirl32.dll
|
This variant was surprisingly smart: it used two startup methods
(ShellServiceObjectDelayLoad and SharedTaskScheduler) that have to be the
absolutely rarely used ones seen ever - and it used them differently on Windows 9x/ME
and Windows NT/2k/XP. On top of that, both methods ensure that the file is loaded when
Explorer is loaded, making it always in memory like CWS.Msconfd.
Additionally, the actual responsible files are invisible in HijackThis, and only one shows
in a StartupList logfile (ShellServiceObjectDelayLoad). The responsible file is mtwirl32.dll, and to delete it manually you need to rename it (deleting
is impossible since it is in use), restart the system, and then delete the file and its
Registry key.
CWS.Smartfinder.2: a second version of this variant exists, that
is harder to remove but basically uses the same method of loading, as well as the same
CLSID. In addition, it uses a BHO to restore any of the autostarting regkeys you delete
to remove this. The BHO looks like this in a HijackThis log:
|
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F- 9D60A9F7A880} -
C:\WINDOWS\System32\mshelper.dll
|
Deleting this BHO prevents it from restoring the autostarting regkeys, which can then be
deleted safely.
Note that this BHO is NOT the real Osborntech Popup Blocker, which uses the CLSID
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}, and a mshelper.dll file located
in a separate folder in the Program Files folder.
|
|
|
CWS.Winproc32
|
Variant 30: CWS.Winproc32 - I can't think of anything snappy to say here
Approx date first sighted:
January 23, 2004
Log reference:
http://forums.net-integration.net/index.php?showtopic=10128
Symptoms: IE being hijacked to icanfindit.net or 4-counter.com,
hijack returning on system restart or possibly sooner
Cleverness: 2/10
Manual removal difficulty: Involves using a process killer and
some Registry editing
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\SYSTEM32\WINPROC32.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4- counter.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4- counter.com/?a=2
O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32\WINPROC32.EXE
|
A very simple variant. Winproc32.exe loads at startup, and hijacks IE.
The file stays in memory so a process killer is needed to remove it. It drops 4 porn bookmarks
in the IE Favorites folder. It also tries to hijack the default user (HKEY_USERS\.DEFAULT) but
fails to do so.
|
|
|
CWS.Msconfig
|
Variant 31: - CWS.Msconfig - Payload plus one
Approx date first sighted:
February 5, 2004 (also a nice example of how frustrating these things can be to people)
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=31324
Symptoms: IE pages being hijacked to www.31234.com on system startup and when
changing homepage back, continuous errors about an invalid Registry script in temp2.txt, extra
item in right-click menu of webpages named '??????'
Cleverness: 2/10
Manual removal difficulty: Involves a process killer, some Registry editing
and restoring a Windows system file from CD
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\SYSTEM\MSCONFIG.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.31234.com/www/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.31234.com/www/homepage.html
O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\SYSTEM\msconfig.exe
O4 - HKCU\..\Run: [msconfig] C:\WINDOWS\SYSTEM\msconfig.exe
O8 - Extra context menu item: ?????? - C:\WINDOWS\system32\openme.htm
|
This variant uses the filename msconfig.exe which overwrites the real Windows
file in Windows 98/98SE/ME. The temp2.txt file it drops is actually a Registry
script, but since it's in the wrong format, Windows 9x/ME will throw up an error about an invalid
Registry script. Windows 2000/XP will import it without complaining, creating the '??????' item
in the IE right-click menu. The
msconfig.exe file will always stay in memory, reinstalling the hijack every 5 seconds.
Killing the process, deleting the file and restoring the IE homepages/search pages fixes this hijack.
The real Windows file msconfig.exe can be download
here, if you can't restore it from your Windows Setup CD for some reason.
|
|
|
CWS.Xxxvideo
|
Variant 32: CWS.Xxxvideo - What, you mean it's not an xxx video?
Approx date first sighted:
February 11, 2004
Log reference:
http://www.spywareinfo.com/forums/index.php?showtopic=32381
Symptoms: IE pages changed to enjoysearch.info, 4 bookmarks added to
Favorites, all returning when system is restarted
Cleverness: 3/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http:// www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:// www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:// www.enjoysearch.info/
O4 - HKLM\..\Run: [xxxvid] C:\WINDOWS\system32\xxxvideo.hta
O4 - HKCU\..\Run: [xxxvid] C:\Documents and Settings\<username>\My Documents\xxxvideo.hta
|
A very simple variant, with a encrypted script file running at startup, reinstalling the hijack.
Killing the autorun entries, deleting the two .hta files and the four bookmarks fixes this.
|
|
|
CWS.Winres
|
Variant 33: CWS.Winres - About:blank hacked
Approx date first sighted:
February 10, 2004
Log reference:
http://www.spywareinfo.com/forums/index.php?showtopic=32204
Symptoms: IE pages changed to 2020search.com, about:blank
page changed to search engine
Cleverness: 7/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
|
This variant is the first to achieve a remarkable result: it changes the about:blank page itself
to look like a search engine. This is later seen in the CWS.Xmlmimefilter
variant, using a different method. The variant possibly adds three domains to the Trusted
Zone and adds two bookmarks to the desktop.
Deleting the BHO, resetting the IE homepage, and removing the sites and bookmarks fixes this.
|
|
|
CWS.Xmlmimefilter
|
Variant 34: CWS.Xmlmimefilter - About:blank hacked v2.0
Approx date first sighted:
February 29, 2004
Log reference:
http://computercops.biz/postt21263.html
Symptoms: IE homepage changed to about:blank, which is changed
to a search engine named 'Microsoft Search the Web', mistyped URLs being redirected
to this same search engine
Cleverness: 10/10
Manual removal difficulty: Involves quite some Registry editing
Identifying lines in HijackThis log:
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O18 - Protocol: about - {53B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32\msxmlpp.dll
|
Though the hijacking of the about:blank page was also done by the
CWS.Winres variant, this new variant accomplishes it in a much more elegant way. The
DLL itself used for handling the 'about:' protocol is changed to a malicious
msxmlpp.dll one, displaying a search engine instead of a blank page filled with links
to 66.117.38.91.
Changing the CLSID of the about protocol back to the default
{3050F406-98B5-11CF-BB82-00AA00BDCE0B}, deleting the file and removing the hosts file
hijack fixes this.
|
|
|
CWS.Aboutblank
|
Variant 35: CWS.Aboutblank - It's just a fad
Approx date first sighted:
March 2, 2004
Log reference:
Reconstruction
Symptoms: IE pages changed to about-blank.ws and 213.159.118.226 (1-se.com),
hijack returning on system restart
Cleverness: 5/10
Manual removal difficulty: Involves some Registry editing and deleting
a randomly named file
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.ws/
O1 - Hosts: 213.159.118.226 1-se.com
O1 - Hosts: 213.159.118.226 58q.com
O1 - Hosts: 213.159.118.226 aifind.cc
O1 - Hosts: 213.159.118.226 aifind.info
O1 - Hosts: 213.159.118.226 allneedsearch.com
O1 - Hosts: 213.159.118.226 approvedlinks.com
[..]
O1 - Hosts: 213.159.118.226 www.wazzupnet.com
O1 - Hosts: 213.159.118.226 www.websearch.com
O1 - Hosts: 213.159.118.226 www.windowws.cc
O1 - Hosts: 213.159.118.226 www.xgmm.com
O1 - Hosts: 213.159.118.226 xwebsearch.biz
O1 - Hosts: 213.159.118.226 yourbookmarks.ws
O4 - HKLM\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0
O4 - HKCU\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0
O19 - User stylesheet: C:\WINNT\system32\xea2108l.9zt
|
This variant does everything in its powers to redirect you to a domain owned by 1-se.com. IE
is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to
1-se.com, and a randomly named stylesheet is dropped that redirects to 1-se.com when certain
keywords appear in webpages.
Restoring the IE pages by searching the Registry for about-blank.ws, removing the hosts file,
the svchost.exe file in the Windows directory (the one in the System32 folder is legit) and
the randomly named stylesheet (1079 or 1087 bytes in size) fixed this.
|
|
|
CWS.Systeminit
|
Variant 35: CWS.Systeminit - Actual size
Approx date first sighted:
March 21, 2004
Log reference:
http://www.spywareinfo.com/forums/index.php?showtopic=35845
Symptoms: IE pages changed to your-search.info, redirections to
search-dot.com, hijack returning on system reboot, URL shortcuts appearing on desktop
and in favorites
Cleverness: 2/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.your- search.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.your- search.info/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:// www.your-search.info/start.html
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - Global Startup: sytem32.exe
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
|
A small variant, using two files to reinstall the hijack. The stylesheet links to search-dot.com,
the two autostarting files set the IE homepage/search pages to your-search.info. A backup of
the systeminit.exe file is kept at C:\Documents And Settings\sys.exe (this
location is hardcoded into the trojan file). Deleting the three trojan files, the stylesheet,
the bookmarks and restoring the IE pages fixes this hijack.
|
|
|
CWS.Sounddrv
|
Variant 36: CWS.Sounddrv - Boring, yet sneaky
Approx date first sighted:
March 12, 2004
Log reference:
http://boards.cexx.org/viewtopic.php?t=4542
Symptoms: IE pages changed to defaulsearching.com, hijack returning
on system reboot.
Cleverness: 3/10
Manual removal difficulty: Involves some Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://defaultsearching.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://defaultsearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://defaultsearching.com
O4 - HKCU\..\RunOnce: [sounddrv] C:\WINDOWS\SYSTEM\SNDBDRV3104.EXE
|
This variant is very small, but its sneakiness lies in the filename used, which was originally
mistaken for a sound card driver (by me as well). Apart from that, this hijack is really simple.
Deleting the file and restoring the IE pages fixes this hijack.
|
|
|
CWS.Searchx
|
Variant 38: CWS.Searchx - About:blank seems popular lately
Approx date first sighted:
April 6, 2004
Log reference:
http://forums.techguy.org/t217853.html
Symptoms: IE pages changed to about:blank (which is
changed to a search portal linking to searchx.cc) and a search page
inside a DLL on the system, hijack returning on system reboot
Cleverness: 8/10
Manual removal difficulty: Involves lots of Registry editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res:// C:\WINDOWS\System32\gfmnaaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {48918FB4-1FD5-4DF3-87F0- 12C36350039D} - C:\WINDOWS\System32\gfmnaaa.dll
|
This variant is not very hard to spot, but slightly harder to troubleshoot since its symptoms
look a lot like those of CWS.Xmlmimefilter.
It drops a randomly named DLL in the system folder and sets the IE homepage/search pages
to it. A BHO is also added pointing to the same DLL. The about:blank page is modified by creating
two new protocol filters for text/html and text/plain
which allows the DLL to control most of the content flowing through the IE browser as web pages.
The trojan keeps a record of all actions in a log file at c:\filter.log.
Removing the two filters in the Registry, deleting the BHO, the DLL and the logfile and restoring
the IE pages fixes this hijack.
Note: The CWS.Realyellowpage has been sighted
together with this variant sometimes, causing CWShredder to not be able to remove this one.
Refer to the manual removal method for that variant to delete the offending dll, then run
CWShredder again to remove CWS.Searchx.
|
|
|
CWS.Realyellowpage
|
Variant 39: CWS.Realyellowpage - Inducing homocidal tendencies
Approx date first sighted:
March 16, 2004
Log reference: (not visible in HijackThis log)
Symptoms: IE pages changed to real-yellow-page.com, drxcount.biz,
list2004.com or linklist.cc, hijack inexplicably returning on reboot with no
file seemingly responsible
Cleverness: Where's my infinity character button?
Manual removal difficulty: Battle axe or chainsaw recommended
Identifying lines in HijackThis log:
|
(not visible in HijackThis)
|
This variant is a nightmare. If you come across an infected machine that keeps changing
back to the aforementioned sites over and over again for no visible reason, you've probably
seen this one. It's like whoever is reponsible for this hired some blackhat coder and told
him to make the most complex, invisible and devious hijacker he could think of. And he did.
The file is randomly named, and normally hooks into the IE process, loading itself as a module
into it. And then it hides the host process from the process list. Yes, you read that right, the
process hosting the dll disappears from the task list and most process viewers/managers
we tried.
At first it was only visible with FAR Explorer, later we found PrcView also shows it, and has some nice command-line
options which makes for nice scripting to aid in manual removal. For Windows 95/98/ME, booting
the system into Safe Mode will prevent the file from loading, allowing for even easier manual
removal:
* MANUAL REMOVAL INSTRUCTIONS *
- Download PrcView here:
http://www.spywareinfo.com/~merijn/files/pv.zip, unzip it to the desktop.
- Be sure to have at least 1 Internet Explorer window open, then double click on the
runme.bat.
- Select option '2' from the menu.
- Notepad will open with a log in it. Look for a line with this file, size and beginning to it.
- The filename will always be different:
winajbm.dll 61c00000 61440 c:\windows\system32\winajbm.dll
This part indicates the bad file:
61c00000 61440
It will always start with that header.
- Write down the filename behind it.
- Now download KillBox:
http://download.broadbandmedic.com/VbStuff/KillBox.zip
- Unzip and run it.
- Don't click any of the buttons though, instead please click on the Action menu and choose
"Delete on Reboot".
- On the next screen, click on the File menu and choose "Add File". The file you copied
earlier should now show up in the window. If that's successful, choose the Action menu and
select "Process and Reboot". You'll be prompted to reboot, do so.
- After rebooting, make sure the file is gone.
Tech info: Win9x/ME: Known to use the HKLM RunServicesOnce key to load, which is deleted
by Windows after loading the file and recreated by the dll when Windows shuts down. Visible
in Safe Mode, dll file is not loaded then and can be deleted.
WinNT/2000/XP: Known to use the HKLM AppInit_DLLs value to load, possibly more Registry keys. The
'delete file on reboot' function can be used (KillBox does this), provided the filename is
known.
File is heavily encrypted using an unknown packer, has a modified PE
header and crashes most (if not all) memory dumpers
when attempted to dump the file from memory. Hides the dll as well as the host process
(IEXPLORE.EXE, RUNDLL32.EXE, CONTROL.EXE, REGSVR32.EXE, whichever one is used) by an unknown
method.
Right now [17/04/04], CWShredder does not remove this variant. As soon as I figure
out how to do it, I will update CWShredder for it.
|
|
|
Affiliate variants - not directly related to CWS, but sighted
together with it very often
|
|
|
CWS.Aff.Iedll
|
Affiliate variant: iedll - Bad coder
Approx date first sighted:
August 18, 2003
Log reference:
http://boards.cexx.org/viewtopic.php?t=1499
Symptoms: Errors in a file 'iedll.exe' or 'loader.exe' on
Windows startup. Sighted a lot together with other CWS variants.
Cleverness: 3/10
Manual removal difficulty: Involves a process killer and a bit
of Registry editing.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\IEDLL.EXE
C:\WINDOWS\LOADER.EXE
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe
|
This affiliate variant, with unknown origin, consists of two files. The first one,
loader.exe downloads the second one,
iedll.exe and runs it. Both files are set to autostart when Windows starts.
The 'hijack' becomes obvious when iedll.exe crashes - and
it does this frequently. Apparently, this program is programmed so badly, it won't
even carry out its payload and does not hijack IE. It is only displayed here because
it has been sighted together with other CWS variants on very numerous occasions.
CWS.Aff.iedll.2:
A mutation of this variant exists, that has the same files iedll.exe
and loader.exe located at
C:\Program Files\Windows Media Player.
|
|
|
CWS.Aff.Winshow
|
Affiliate variant: Winshow - Comes in two flavours
Approx date first sighted:
July 13, 2003
Log reference: Reconstruction
Symptoms: Changed IE pages to youfindall.com, BHO added to IE
named 'winshow.dll'. Second variant hijacks to searchv.com and also redirects
mistyped URLs to a porn site, and reloads the hijack on a reboot,
or even sooner.
Cleverness: 5/10, second variant 8/10
Manual removal difficulty: Involves lots and lots of Registry
editing, a bit of hosts file editing and deleting one file.
Identifying lines in HijackThis log:
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL
|
Second variant CWS.Aff.Winshow.2:
O1 - Hosts file: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents And
Settings\username\Application Data\winshow\Winshow.dll
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - Global Startup: MSUpdater.exe
|
This affiliate variant originally was quite innocent, consisting only of one
Browser Helper Object (BHO) named 'Winshow', with unknown goal. It was frequently
sighted together with other CWS variants.
CWS.Aff.Winshow.2:
The second variant of this one also used the BHO and filename, but added a hosts
file hijack that redirected mistyped domains/URLs to a porn site, and reloaded
a IE hijack to searchv.com on reboot using a Registry command file. One file named
MSUpdater.exe was sitting in the 'All Users' startup folder
in the Start Menu, and also reloaded the hijack. Deleting both files fixed the
hijack. It is still unknown what the BHO actually does.
CWS.Aff.Winshow.3:
A third version of this variant exists, that uses the filename
winlink.dll for the BHO. It hijacks to both searchv.com and thesten.com.
It does not have the additional files the second version has.
CWS.Aff.Winshow.4:
A third version of this variant exists, that adds an uninstall entry in Add/Remove
Software labelled Winshow, and auto-updates from a Registry
value named WinShowUpdate.
CWS.Aff.Winshow.5:
A third version of this variant exists, that uses the filename
iefeatsl.dll, hijacks to search-click.com and auto-updates from a Registry
value named iefeatslUpdate. It also downloads and installs
a BHO named SubmitHook.
CWS.Aff.Winshow.6:
A third version of this variant exists, that uses a random string for its filename
and folder, with the same CLSID as the previous two variants,
{587DBF2D-9145-4c9e-92C2-1F953DA73773}. It also downloads and installs a BHO named
SubmitHook and autoupdates from a Registry value named Updater.
|
|
|
CWS.Aff.Madfinder
|
Affiliate variant: Madfinder - Kinda like ClientMan
Approx date first sighted:
October 15, 2003
Log reference:
http://forums.spywareinfo.com/index.php?showtopic=14977
Symptoms: IE homepage changed to madfinder.com,
BHO with filename 'BrowserHelper.dll', hijack returning on reboot, or even
sooner.
Cleverness: 5/10
Manual removal difficulty: Involves a process killer and lots of
Registry editing.
Identifying lines in HijackThis log:
Running processes:
C:\WINDOWS\System32\svc.exe
O1 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} -
C:\WINDOWS\System32\BrowserHelper.dll
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
|
This variant seems to consist of two files that support each other.
svc.exe runs invisible, downloads the second BrowserHelper.dll
and installs it as a BHO. However, this BHO file also contains the first file
and probably puts it back when it is deleted. The variant is always accompanies by
a hijack to madfinder.com.
|
|
|
CWS.Aff.Tooncomics
|
Affiliate variant: Tooncomics - Changing the Internet
Approx date first sighted:
September 18, 2003
Log reference:
http://boards.cexx.org/viewtopic.php?p=11617#11617
Symptoms: IE hijacked to tooncomics.com, targets of hyperlinks on
websites changed to porn sites
Cleverness: 9/10
Manual removal difficulty: Involves really lots of Registry
editing, and some hosts file editing
Identifying lines in HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://tooncomics.com/main/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tooncomics.com/main/hp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://66.250.130.194/main/hp.php
O1 - Hosts: 66.40.16.131 livesexlist.com
O1 - Hosts: 66.40.16.131 lanasbigboobs.com
O1 - Hosts: 66.40.16.131 thumbnailpost.com
O1 - Hosts: 66.40.16.131 adult-series.com
O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\DNSErr.dll
|
This variant seems to be in the league of CWS.Vrape, hijacking to
porn sites, redirecting other porn sites to itself, and even using a BHO to change the
target of hyperlinks to porn sites like eZula Toptext does. Some users even reported
being unable to download CWShredder because the links at the bottom of this article
were altered to point to porn sites. Manual removal is pretty
hard, because the DNSErr.dll file responsible for the latter part
of the hijack has no uninstall built-in like most dlls. However, flat-out deleting the
file has no side effects.
CWS.Aff.Tooncomics.2: There is a second version of this hijack that
Uses the filename dnse.dll as the BHO, and a second file ld.exe that is always running, reloading the hijack. In this version,
the IE homepage and search pages are changed to fastwebfinder.com. A process killer is
needed to get rid of ld.exe.
|
|
|
Epilogue - The Fix Known As CWShredder
|
After reading all of this, you must be under the impression that a CoolWebSearch hijack
is near impossible to fix since there are so many variants. Though it is true that
the conventional tools like Ad-Aware, Spybot S&D and HijackThis won't fix all of the
variants, there is one tool that will.
After about the 3rd CWS variant, I realized this particular spyware company moved faster
than any other I'd seen before, and that the anti-spyware programs wouldn't be able
to keep up with it. So I decided to write a separate program dedicated to removing
CoolWebSearch. It's called CWShredder and can be downloaded
here, in several forms:
This removal tool will be updated for any new variants of CoolWebSearch, as well as
new affiliates that are sighted. It can remove all of the variants mentioned above.
Note that CWShredder is update very often. If you
have a copy that's more than a week old, check for an update first before
emailing me it's not working well.
|
|
|
Epilogue - The Origin
|
We are pretty sure now CoolWebSearch is part of a new strain
of trojans that have recently been identified that all have one thing
in common: they install through the
ByteVerify exploit in the MS
Java VM and change the IE homepage, search page, search bar, etc.
Take a look at this snippet from the description of the
Java.Shinwow trojan:
This is a growing family of trojans that exploits the ByteCodeVerifier
vulnerability in the Microsoft Virtual Machine to execute unauthorized
code on an affected machine.
The variants of this trojan that we have seen in the wild have been functionally
diverse; the common factor amongst them has been the use of the ByteVerify
exploit to achieve their goals. Some variants may do little more than change
the user's default Internet Explorer home page and/or search page via
modifications to the registry.
|
We strongly recommend you install the patch, available from
this MS security bulletin. If you have Windows XP with Service Pack 1a,
your system has no MS Java VM. Information on removing the MS Java VM
completely and replacing it with the newer, safer Sun Java VM can be
found here.
An a side note, some of the affiliates (Search-Meta has been verified) use another
Java exploit to install their malware. It's classified as the
JS.Exception.Exploit, and a patch can be downloaded from this
MS security bulletin.
In general, it's a good idea to keep your system up-to-date from WindowsUpdate!!
It has also been confirmed that 'Index.dat Viewer' changes your IE search pages to
superwebsearch.com, a CWS affiliate page, after installing it. Uninstalling Index.Dat
Viewer will not restore your search pages.
|
|
|
Donate / Contact Me
|
If you find this page helpful or helps you remove CWS from your system, we would
very much appreciate a donation:
If you have any problems, questions or comments concerning this
document, you can email me if you like.
Merijn,
However, if you want to send me a flame email or a class action lawsuit
notice, don't bother. I didn't create Coolwebsearch or install it onto your browser
. If I would have, why would I detail this entire thing and provide
you with a fix for free?
|
|
|
|
