Weekly Spyware Alert: CoolWebSearch
Variants: This spyware is morphing at a rapid rate. Below, variants and their estimated appearance date are listed in reverse chronological order.
- DNSRelay.dll August 7, 2003
- Svchost32 August 3, 2003
- Oemsyspnp July 29, 2003
- Msspi.dll July 28, 2003
- Vrape July 20, 2003
- OSLogo.bmp July 10, 2003
- Bootconf July 6, 2003
- Datanotary May 27, 2003
Description: CoolWebSearch is a name given to a wide range of different browser hijackers. The code is very different between variants, but all are currently used to redirect users to coolwebsearch.com and other sites affiliated with its operators. The alarming trend with this hijacker is rapid metamorphosis and the increasing difficulty of removal. Some documented behaviors associated with each variant include:
- DNSRelay.dll - Implemented as an IE URL hook. Hijacks address bar search phrases as well as any site name entered into the address bar without a leading http:// or www to search aimed at activexupdate.com (a CWS site redirecting through yellow2.com to allhyperlinks.com).