CoolWebSearch

CoolWebSearch (also known as CoolWWWSearch or abbreviated as CWS) is a spyware or virus program that installs itself on Microsoft Windows based computers. It first appeared in May 2003.

Effects

CoolWebSearch has numerous capabilities when it is successfully installed on a user's computer. The program can change an infected computer's web browser homepage to 'coolwebsearch.com', and though originally thought to only work on Internet Explorer, recent variants affect Mozilla Firefox as well as Google Chrome, and others. Infected computers can create pop-up ads which redirect to other websites, including pornography sites, collect private information about users, and slow the connection speed.

CoolWebSearch uses various techniques to evade detection and removal, which many common spyware removal programs are unable to properly remove the software. Since CoolWebSearch is bundled with other potentially unwanted software or add-ons, users need to uninstall those unwanted programs first, or CoolWebSearch can return, even after the user has changed their home page and primary search engine.

Some versions of CoolWebSearch are installed through what's known as 'drive-by installation', in which browsing an infected webpage can automatically install CoolWebSearch without the user's knowledge. CoolWebSearch attempts to evade detection by not labelling the ads it presents as such, nor does it provide a EULA, nor any data about itself nor is there a website directly associated with it. Certain variants insert links on random text, leading to advertisements. Others attempt to access websites which are redirected to pay-per-click search engines which may install more malware display ads. Some variants of CoolWebSearch also add links to pornography, and gambling sites to the user's Desktop, Internet Explorer's bookmarks and history. Certain versions attempt to edit users' trusted sites and modify security settings as well as to hide from removal programs. Variants are often named for the effects they have such as msconfig, Msoffice, Mupdate, Msinfo and Svchost32.

Possible creators

The website claims that they are not responsible for the browser hijacking. They run an affiliate program that pays affiliates to direct others to their site with paid advertising links. Coolwebsearch.com's terms of service use the laws of Quebec, Canada, whilst their DNS registration lists an address in the British Virgin Islands, and their web server appears to be run by HyperCommunications in Massachusetts, USA. CoolWebSearch is also linked to CoolWebSearch.org and appears to be related to webcoolsearch.com. Investigation connected Stanislav Avdeyko, the Koobface hacker, with CoolWebSearch.The Koobface malware gang - exposed! Indepth investigation by Jan Droemer and Dirk Kollberg, SophosLabs
/ref>

Variants

#CSS Cool Search Search
#CWS.Addclass
#CWS.Alfasearch
#CWS.Bootconf
#CWS.CameUp
#CWS.Cassandra
#CWS.Control
#CWS.Ctfmon32
#CWS.Datanotary
#CWS.Dnsrelay
#CWS.Dreplace
#CWS.Gonnasearch
#CWS.Googlems
#CWS.Hiddendll
#CWS.Homesearch
#CWS.Loadbat
#CWS.Look2Me
#CWS.Msconfd
#CWS.Msconfig
#CWS.MSFind
#CWS.Msinfo
#CWS.Msoffice
#CWS.Msspi
#CWS.Mupdate
#CWS.Oemsyspnp
#CWS.Olehelp
#CWS.Oslogo
#CWS.Qttasks
#CWS.Q-url3
#CWS.Realyellowpage
#CWS.Searchx
#CWS.Smartfinder
#CWS.Smartsearch
#CWS.Sounddrv
#CWS.Svchost32
#CWS.Svcinit
#CWS.Systeminit
#CWS.Systime
#CWS.Tapicfg
#CWS.Therealsearch
#CWS.Vrape
#CWS.Winproc32
#CWS.Winres
#CWS.Xmlmimefilter
#CWS.Xplugin
#CWS.Xxxvideo
#CWS.Yexe

Affiliate variants

#CWS.Aff.iedll
#CWS.Aff.Madfinder
#CWS.Aff.Tooncomics
#CWS.Aff.Winshow

References

{{reflist

Spyware