Scumbag of the Week

 

Having problems surfing the Internet? Being redirected to smartsearch.ws or another site? Is your computer massively slowing down? These symptoms characterize a growing list of problems with the latest scumware program to hit the Internet these days, and you could be next.

 

Although its meager beginnings demonstrated that this particular little program was nothing more than a nuisance and a fake stylesheet, it has evolved to become a powerhouse of annoyances with a growing list of complaints.  This particular company moves faster than any previous scumware company we've seen, and it attempts to release a new 'strain' by the rate of almost one a week.  A particularly virulent strain redirects users to the 'smartsearch.ws' homepage and to date, there are over 30 known variants of the CWS (CoolWebSearch) program.  (Note: On Feb. 1 the smartsearch.ws domain name was shut down as an affiliate of CoolWebSearch.  That particular domain will now show up as a blank page -- making it difficult to figure out what you've been scummed with.  Although the URL remains in the address bar, the entire page is blank.  Most people will probably guess they've just hit a site in development or something.)

 

So what exactly is it an why are we calling it a 'crossbred' scumware/trojan?  CoolWebSearch is at times difficult to identify because it duplicates the symptoms you would normally expect from a scumware program.  It hijacks your browser, redirects you to other sites, changes your start page and even issues pop-ups with 'enhanced results.' These are just a few symptoms in its growing repertoire.  In fact, many of the symptoms you will experience are both confusing and frustrating, because although they duplicate what we have come to associate with scumware programs, popular removal tools such as AdAware and SpyBot simply won't find anything.  As a matter of fact, there is a variant of the program that actually closes any scumware or spyware removal utilities before they even load, which is definitely playing dirty.

 

The other aspect is the trojan part, which exploits a security flaw in the Byte Code Verifier of the Microsoft Virtual Machine.  We don't need to cover the technical aspects of what that means, but a good definition of a trojan was provided by Search Security (http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html) who wrote that, "In computers, a Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk."

 

Currently, it is suspected that this program exploits this security flaw in the Microsoft Virtual Machine to distribute itself through pop-up ads shown on your PC.  So if you can't find it, and can't check it, how on earth do you know you have it?  That question is a little more difficult to answer because there are so many new strains all of  the time.  The symptoms seem to change to reflect the latest 'attack' method to hit the most computers.  I can however, give you a current list of symptoms for the 30 something variants that already exist today:

 

Problems in Internet Explorer:

• Massive IE slowdown
• Illegible URLs, IE options
• Redirections when mistyping URLs
• Start page and search page changed on reboot
• Start page/search pages changed to activexupdate.com in the IE Trusted Zone
• Popups with 'enhanced results' when doing searches on Google, Yahoo, and Altavista
• Redirections to any one of the affiliate sites on virtually anything done in IE
• Start page and Search pages changed to any of the affiliate sites
• 'Customize Search Assistant' closing after opening it
• Slow scrolling in IE
• Homepage changed to 'http:///'
• Redirections to runsearch when mistyping URLs, *.masspass.com in the Trusted Zone
• IE pages being hijacked to ie-search.com
• Lots and lots of bookmarks added to IE Favorites
• BHO added to IE named 'winshow.dll' BHO with filename 'BrowserHelper.dll'

 

Problems with Adult Content:

• Redirections to adult sites, dialers, etc.
• Porn sites being redirected to 216.200.3.32 (alfa-search.com)
• Porn bookmarks added to Favorites (some possibly child porn)
• Porn sites appearing in IE autocomplete
• Redirects mistyped URLs to a porn site
• Targets of hyperlinks on Web sites changed to porn sites

 

Problems with Windows:

• Reloading of the hijack on some reboots
• Hijack reappearing when rebooting
• Possible errors about a missing file 'msinfo.exe'
• info32.exe errors
• Error message about a 'runtime error' at startup
• DOS window flashing by at system startup
• Bogus error message about msconfd.dll at startup
• Anti-spyware programs closing without reason only a few seconds after opening them
• Errors in a file 'iedll.exe' or 'loader.exe' on Windows startup

 

Although by no means a comprehensive list, especially considering its rapid rate of evolution, you can begin to get an idea of the expansive list of problems associated with the trojan.  Probably one of the most difficult aspects of this particular program is that it can be very difficult to identify.

 

Coupled with the problems listed above, the CWS variants have been known to violate privacy and security in their quest to hijack your PC.  The trojan can, and will, hide itself from a user, stay resident in the background, show advertisements, make changes to browser settings, and connect to the Internet by itself to self-update. In the process, it may collect information about your PC, track information with cookies, and/or transfer personally identifiable information.  It is also capable of installing software and services on your computer.  Essentially, its capabilities are only limited by the creativity of its programmers, who haven't yet run out of ways to use the code.

 

Considering the information above, detection and removal can be both difficult and tricky, but there are a number of solutions to solve the problem you may be experiencing or may experience in the future.  To begin with, the number one method of prevention is to keep your copy of Microsoft Windows up to date with the latest security fixes.  If you haven't yet done that, I suggest you visit the Microsoft site to download the latest patches: http://v4.windowsupdate.microsoft.com/.  Next, on your list of places to visit is a great site provided to us by a student in the Netherlands, Merijn Bellekom, who has spent literally weeks tracking and coding a program to remove the latest CWS variants.  For all of the latest information, check out his site at http://www.merijn.org and visit the downloads section to get your copy of CoolWebShredder which will remove all of the CWS variants to date.  A couple of caveats:

 

If you are unable to visit his site, the direct download link for the program is http://216.180.233.153/~merijn/files/CWShredder.exe (This problem is caused by a CWS variant known as either CWS.Aff.Tooncomics or CWS.Dreplace.) 

 

If your anti-spyware removal program is closing before starting, you will have to download and run PepiMK's CoolWWWSearch.SmartKiller removal tool http://www.safer-networking.org/files/delcwssk.zip) first before running his program to remove CWS variants.

 

If you get an error in Windows stating that the "MSVBVM60.DLL missing," you'll need to get the updated runtime libraries for Microsoft Visual Basic 6 first.  (http://download.microsoft.com/download/vb60pro/Redist/sp5/WIN98ME/EN-US/vbrun60sp5.exe)

 

Finally, here are a couple more links with information about CoolWebSearch:

 

Discussion within the Forums on Smartsearch.ws homepage hijacking
(http://www.jimworld.com/apps/webmaster.forums/action::thread/thread::1073634404/forum::scumware/)

 

Scumware.com CWS Article http://www.scumware.com/apps/scumware.php/action::view_article/article_id::1075329940/topic::Scumware,-Spyware,-Adware-&-Malware-Applications/

 

Virus Information Center http://www3.ca.com/virusinfo/virus.aspx?ID=35839

 

Spyware Info CWS article http://www.spywareinfo.com/articles/cws/

 

Symantec Security Response http://securityresponse.symantec.com/avcenter/venc/data/adware.smartsearch.html

 

Trend MicroSystems Virus Information http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ZEROLIN.A&VSect=T

 

 

Download the Shredder Program

Back to MCTXS