More Virtual Promote ... Search Engine Forums · Webmasters Toolkit · Free Website Templates · Scumware.com
.
Virtual Promote Gazette Home Subscribe/Unsubscribe Archives  
.

gazette



Issue # 209 (02-13-2004)

Changing the Internet, One Thing at a Time

Scumbag of the Week
Having problems surfing the Internet? Being redirected to smartsearch.ws or another site? Is your computer massively slowing down? These symptoms characterize a growing list of problems with the latest scumware program to hit the Internet these days, and you could be next.

Although its meager beginnings demonstrated that this particular little program was nothing more than a nuisance and a fake stylesheet, it has evolved to become a powerhouse of annoyances with a growing list of complaints. This particular company moves faster than any previous scumware company we've seen, and it attempts to release a new 'strain' by the rate of almost one a week. A particularly virulent strain redirects users to the 'smartsearch.ws' homepage and to date, there are over 30 known variants of the CWS (CoolWebSearch) program. (Note: On Feb. 1 the smartsearch.ws domain name was shut down as an affiliate of CoolWebSearch. That particular domain will now show up as a blank page -- making it difficult to figure out what you've been scummed with. Although the URL remains in the address bar, the entire page is blank. Most people will probably guess they've just hit a site in development or something.)

So what exactly is it an why are we calling it a 'crossbred' scumware/trojan? CoolWebSearch is at times difficult to identify because it duplicates the symptoms you would normally expect from a scumware program. It hijacks your browser, redirects you to other sites, changes your start page and even issues pop-ups with 'enhanced results.' These are just a few symptoms in its growing repertoire. In fact, many of the symptoms you will experience are both confusing and frustrating, because although they duplicate what we have come to associate with scumware programs, popular removal tools such as AdAware and SpyBot simply won't find anything. As a matter of fact, there is a variant of the program that actually closes any scumware or spyware removal utilities before they even load, which is definitely playing dirty.

The other aspect is the trojan part, which exploits a security flaw in the Byte Code Verifier of the Microsoft Virtual Machine. We don't need to cover the technical aspects of what that means, but a good definition of a trojan was provided by Search Security (http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html) who wrote that, "In computers, a Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk."

Currently, it is suspected that this program exploits this security flaw in the Microsoft Virtual Machine to distribute itself through pop-up ads shown on your PC. So if you can't find it, and can't check it, how on earth do you know you have it? That question is a little more difficult to answer because there are so many new strains all of the time. The symptoms seem to change to reflect the latest 'attack' method to hit the most computers. I can however, give you a current list of symptoms for the 30 something variants that already exist today:

Problems in Internet Explorer:
  • Massive IE slowdown
  • Illegible URLs, IE options
  • Redirections when mistyping URLs
  • Start page and search page changed on reboot
  • Start page/search pages changed to activexupdate.com in the IE Trusted Zone
  • Popups with 'enhanced results' when doing searches on Google, Yahoo, and Altavista
  • Redirections to any one of the affiliate sites on virtually anything done in IE
  • Start page and Search pages changed to any of the affiliate sites
  • 'Customize Search Assistant' closing after opening it
  • Slow scrolling in IE
  • Homepage changed to 'http:///'
  • Redirections to runsearch when mistyping URLs, *.masspass.com in the Trusted Zone
  • IE pages being hijacked to ie-search.com
  • Lots and lots of bookmarks added to IE Favorites
  • BHO added to IE named 'winshow.dll' BHO with filename 'BrowserHelper.dll'
Problems with Adult Content:
  • Redirections to adult sites, dialers, etc.
  • Porn sites being redirected to 216.200.3.32 (alfa-search.com)
  • Porn bookmarks added to Favorites (some possibly child porn)
  • Porn sites appearing in IE autocomplete
  • Redirects mistyped URLs to a porn site
  • Targets of hyperlinks on Web sites changed to porn sites
Problems with Windows:
  • Reloading of the hijack on some reboots
  • Hijack reappearing when rebooting
  • Possible errors about a missing file 'msinfo.exe'
  • info32.exe errors
  • Error message about a 'runtime error' at startup
  • DOS window flashing by at system startup
  • Bogus error message about msconfd.dll at startup
  • Anti-spyware programs closing without reason only a few seconds after opening them
  • Errors in a file 'iedll.exe' or 'loader.exe' on Windows startup
Although by no means a comprehensive list, especially considering its rapid rate of evolution, you can begin to get an idea of the expansive list of problems associated with the trojan. Probably one of the most difficult aspects of this particular program is that it can be very difficult to identify.

Coupled with the problems listed above, the CWS variants have been known to violate privacy and security in their quest to hijack your PC. The trojan can, and will, hide itself from a user, stay resident in the background, show advertisements, make changes to browser settings, and connect to the Internet by itself to self-update. In the process, it may collect information about your PC, track information with cookies, and/or transfer personally identifiable information. It is also capable of installing software and services on your computer. Essentially, its capabilities are only limited by the creativity of its programmers, who haven't yet run out of ways to use the code.

Considering the information above, detection and removal can be both difficult and tricky, but there are a number of solutions to solve the problem you may be experiencing or may experience in the future. To begin with, the number one method of prevention is to keep your copy of Microsoft Windows up to date with the latest security fixes. If you haven't yet done that, I suggest you visit the Microsoft site to download the latest patches: http://v4.windowsupdate.microsoft.com/. Next, on your list of places to visit is a great site provided to us by a student in the Netherlands, Merijn Bellekom, who has spent literally weeks tracking and coding a program to remove the latest CWS variants. For all of the latest information, check out his site at http://www.merijn.org and visit the downloads section to get your copy of CoolWebShredder which will remove all of the CWS variants to date. A couple of caveats:

If you are unable to visit his site, the direct download link for the program is http://216.180.233.153/~merijn/files/CWShredder.exe (This problem is caused by a CWS variant known as either CWS.Aff.Tooncomics or CWS.Dreplace.)

If your anti-spyware removal program is closing before starting, you will have to download and run PepiMK's CoolWWWSearch.SmartKiller removal tool http://www.safer-networking.org/files/delcwssk.zip) first before running his program to remove CWS variants.

If you get an error in Windows stating that the "MSVBVM60.DLL missing," you'll need to get the updated runtime libraries for Microsoft Visual Basic 6 first. (http://download.microsoft.com/download/vb60pro/Redist/sp5/WIN98ME/EN-US/vbrun60sp5.exe)

Finally, here are a couple more links with information about CoolWebSearch:

Discussion within the Forums on Smartsearch.ws homepage hijacking (http://www.jimworld.com/apps/webmaster.forums/action::thread/thread::1073634404/forum::scumware/)

Scumware.com CWS Article http://www.scumware.com/apps/scumware.php/action::view_article/article_id::1075329940/topic::Scumware,-Spyware,-Adware-&-Malware-Applications/

Virus Information Center http://www3.ca.com/virusinfo/virus.aspx?ID=35839

Spyware Info CWS article http://www.spywareinfo.com/articles/cws/

Symantec Security Response http://securityresponse.symantec.com/avcenter/venc/data/adware.smartsearch.html

Trend MicroSystems Virus Information http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ZEROLIN.A&VSect=T


Read the Scumbag of the Week section from the Last Issue or in the Following Issue

JimWorld Member comments and feedback ...

Posted On: 02/13/2004 02:15
Posted By: webtech
I have kept my PC secure and cleaned up from scumware for sometime now. However I am shocked upon reading this article in that my wife's WinME machine has become a victim of this. My settings bring up a box with any ActiveX request. Now I am attempting to undo the harm she has done to herself by running Bonzi Buddy, Gator and Lord knows what. This explains why MS updates cause crashes, GatortoRobo tool does not work, Mozzilla and MyIE2 do not do as they do on my machine. It is like a demon that does not want to let go. We are on the same internet connection but I do NOT have file sharing on, thank God.

Posted On: 02/13/2004 06:30
Posted By: Sinoed
Its one of those pests that can be pretty tricky to spot. If you have troubles clearing it out post in the forums and we'll try to help you out. :)

Posted On: 02/13/2004 10:14
Posted By: thomkilroy
I need some help. I ran a CWShredder in Safe Mode, which came up clean. And yet, I still am not allowed to visit the merijn site, so I know that there is something there causing issues. When I try going to the direct download link, I get a 404 file not found message. Is something wrong with their site, or is it another symptom of evil incarnate? The CWShredder I ran was 1.48.0002, downloaded just tonite. Help!

Posted On: 02/14/2004 03:41
Posted By: Sinoed
When you run your PC in safe mode its only going to load the most basic drivers and settings to get you 'going' enough that you can remove the virus or whatever it is on your PC. I would think that the CWS trojan isn't loading when you run it in safe mode like that - which is why your PC is showing 'clean'. Start up your PC like normal and make sure you don't have any browser windows open then run CWShredder. If you can't visit the merijn site it is very likely that you have a CWS variant. By running your PC like normal the CoolWebShredder should be able to pick it up and remove it for you. Try that first.

If you still can't seem to get rid of your pest double check to make sure it isn't a virus. If you visit the [url=http://www.scumware.com/apps/scumware.php/action::view_article/article_id::1075334849/topic::Scum-Killers/]free virus tools[/url] article I've written on the scumware.com site you'll find a bunch of links at the bottom for free online virus scans. If you come up with a virus through any one of those tools they will be able to either remove it for you or tell you how to remove it.

If neither one of those works it may be possible that you have a new variant of the CWS trojan - not that unlikely considering they release one or so per week.

You might want to also download and run a program like "Ad-aware" available free for personal use at [url=http://www.lavasoft.de]Lavasoft[/url] to make sure you haven't got some other scumware on your computer.

I've given you quite a lot of info to get started with so just take it one step at a time. If you get stuck or need some help along the way to cleaning up your computer just let us know and we'll be happy to help you out. Good luck with it and let us know how it goes. :)

Posted On: 02/15/2004 04:57
Posted By: thomkilroy
I ran the scans. CW Shredder (and most of the others) came up empty and Symantec found this:

c:WINDOWSApplication DataSunJavaDeploymentcachejavapiv1.0jarcount.jar-6f603a79-778e9214.zip is infected with Trojan.ByteVerify

However, I ran AVG virus software (freshly updated) and it didn't report finding anything. Do I have to download Norton to fix this? Norton really slowed down my machine when I had it last (and was otherwise irritating), and I have to disable my Zone Alarm Firewall for it to work because they don't play nice. Is there a computer weenie way to do this manually? Would this be keeping me from visiting the merijn site? Or is there more yet to be found?

Posted On: 02/16/2004 08:35
Posted By: Sinoed
The reason you couldn't visit the merijn site is because they were under a DDOS attack along with a few other info sites for this stuff. There are some people who think this stuff is a good idea. :( The trojan that was picked up by Symantec is the CWS trojan - exploits the same security flaw. I'm not sure how well Norton picks it up, try running the free online scan by Mcafee. The same trojan called ByteVerify on Symantec is called Java.Bytever.A there. After you run the scan if it picks it up it will remove it for you. You'll probably have to disable any other AV software you have currently running and your firewall. Check out the [url=http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JAVA_BYTEVER.A]McAfee page[/url] for this it has a link to the online scanner under cleaning instructions and some other helpful info to reset your PC. If McAfee comes up clean you might have a new version of CWS, smartsearch.ws did change their name to magicsearch.ws and have happily continued to spread it around. Try the virus scan at McAfee and see if that will help then let me know.

Posted On: 02/16/2004 08:25
Posted By: g1smd
Jeez does anyone know who thse guys are? Surely someone has put a price on them by now.

A long slow painful death would be far too quick for them.

Posted On: 02/16/2004 09:54
Posted By: Curt
Can we get those URLs shortened up? (major sideways scrolling)

Posted On: 02/16/2004 10:43
Posted By: thomkilroy
McAfee was one of the scans I ran and came up nada. Now what? When I get hijacked, the page is hotsearchbox. Does that help? I'm pretty sure it is not a 'new' variant - I've been wrestling with it for at least a month, if not longer. Getting 'jacked less and less, but still got that ping on Symantec's scanner, so something is still in there. I don't suppose it will just expire of old age or anything? Is this thing dangerous to just leave on my computer, assuming it eventually stops bugging me even though it is still there? Could this be what is causing my computer clock to lose time?

Posted On: 02/18/2004 10:38
Posted By: Sinoed
The 'hotsearchbox' problem is CWS. Generally no news is not good news in these cases. Things that hide themselves and hijack your PC generally aren't doing you any favors, it could compromise pretty much everything you do online or allow someone else control of your PC depending on the variant. I don't know if it would cause your PC clock to lose time, I guess the only way you'll find out is to remove it but I don't think it will.

There are some detailed instructions from Trend Microsystems on removing it. Trend Microsystems virus scanner should be able to pick up and remove this particular variant. Unfortunately not all anti-virus products work well (if at all) to pick this up.

(for some reason this link isn't formatting correctly so cut and paste into your browser..)

http://

de.trendmicro-europe.com/consumer/security_info/ve_detail.php?Vname=JAVA_STARTPAGE.F

Posted On: 02/19/2004 08:12
Posted By: thomkilroy
Well, on the advice of an IT instructor at my school, I jsut went and manually deleted the file (it's in Java, so worst case scenario I have to re-install Java). So far, I can see no ill effects. Will run the scan later to make sure it stays deleted.

Add your own comment ....

We accept comments to Gazette Articles only by registered JimWorld.com members. If you are not yet a member, please join now. Membership is free, and entitles you to not only post comments here, but also to participate in our discussion forums, as well as other areas of the JimWorld.com network.

If you are currently a JimWorld member, your userid and password will allow you to login with the form below.

Login
Forget your password?
Password

 

 

Sponsored Links

Search for a Free Domain
The Virtual Promote Toolkit is hosted by the experts at SimpleNet. You should be, too! Whether building a new site or transferring one, there is no other hosting platform comparable to SimpleNet’s; hosting for less than $5/month.
Search for the following tlds: .com, .net, .org, .info, .biz, & .us
Already have a domain or site? Move it to SimpleNet


Hyperseek Search Engine
Member Spotlight
New Search Engine
Search the web, news, images, submit site for free (objectssearch)
spacer

 

 
   

© 1995 - 2004  ·  iWeb, Inc DBA JimWorld Productions