CWS Hijacker

March 8, 2008 – 2:22 PM

A new malware is being distributed that hijacks Internet Explorer start and search settings to one of several different web sites, including coolwwwsearch.com, coolwebsearch.com, youfindall.net, ok-search.com, and white-pages.ws. All of these web sites appear to have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for for every visitor they refer. There could be other domains involved in the future. This hijack is similar to the datanotary.com hijack discovered last month. As with that older hijack, the CWS hijack sets Internet Explorer to use a custom style sheet containing javascript that opens a pop up window. In fact, we believe the malware involved with CWS is an updated version of the same malware involved with datanotary.

The start and search settings are changed to an address in which the letters are converted into an unreadable mess of numbers and % symbols to hide the domain name from the user. It also makes it difficult to blacklist the domain. Internet Explorer is able to translate the symbols and load the hijacker’s web site.

An executable file named bootconf.exe is copied to the windowssystem32 folder and set to load at startup. Even if you fix the hijack, this file will reinstall it the next time it is loaded.

Finally, the malware lists the hijacker’s web site in Internet Explorer’s trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer’s file system. We believe the source of the infections might be activex drive by installers located on pornographic web sites, or possibly trojan programs pretending to be illegal serial number generators. Unfortunately, this is just speculation for now.

Removal Instructions

As of July 8, both Spybot S&D and Ad-aware should repair this hijack. Please use one or the other before doing anything else in an attempt to fix this hijack. If neither program fixes the problems, here are the manual removal instructions:

Download Merijn’s HijackThis program, extract it to a folder of your choice, and run a scan with it.

Look for entries containing numbers and % symbols as in this example, and tick the box next to them:
R1 – HKCUSoftwareMicrosoftInternet Explorer,SearchURL= http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73

Look for any O1 Hosts entries similar to this example, and tick the boxes next to them:
O1 – Hosts: 1123694712 auto.search.msn.com

Look for these entries and tick the boxes next to them (the stylesheet entry may have a different file name):
O4 – HKLM..Run: [sysPnP] C:WINNTSystem32ootconf.exe
O19 – User stylesheet: C:WINNTsystem.css

Click the “Fixed Checked” button to remove these entries, then restart your computer. After Windows has loaded again, delete these files (the stylesheet entry may have a different file name):
C:WINNTSystem32ootconf.exe
C:WINNTsystem.css

Finally, go to Internet Options > Security, and select “Trusted Sites”. Press the “Sites” button. Delete any entries that you know you have not placed in there yourself, such as *.coolwebsearch.com, *.coolwwwsearch.com, and so on.

This article is located at http://www.spywareinfo.com/articles/cws/

You must be logged in to post a comment.