Results 1 to 3 of 3
  1. #1
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    http://www.keywordconversions.com/search-coverage.html

    Had a few of my merchant clients getting calls and e-mails from them pitching this as the greatest contextual search hijacking tool going. Sounds like the Hong Kong Triad mob wants in on the gravy train.

    ____________________________________

    Domain name: keywordconversions.com

    Registrant Contact:
    KWC Inc. Hong Kong
    Geng Danny dannygeng@yahoo.com
    86-571-88888888 fax: 86-571-88888888
    585 Yan An Road
    Jiu Long Hong Kong 310000
    hk

    Administrative Contact:
    Geng Danny dannygeng@yahoo.com
    86-571-88888888 fax: 86-571-88888888
    585 Yan An Road
    Jiu Long Hong Kong 310000
    hk
    _______________________________________

    Looks like they could be a new BHO searchbar players popping on SE after hijacking the browser like these wanks...

    Description:


    CoolWebSearch is a particularly virulent scumware program, that commonly hijacks the browser and redirects a visitor to either CoolWebSearch or any of its affiliates. It is considered to be a 'crossbred' strain of scumware because it has the characteristics of both scumware and a trojan virus. Although it appears to be a scumware program, effectively disguising its true nature it is technically coded as a trojan. This makes detection of this particular program extremely difficult at times. McAfee Security provides a good definition of a Trojan:

    "A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive. Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses."

    The difficulty in removing CoolWebSearch has increased with each release of the latest strain.

    Common variants and updates:



    One of the most common variants of the CWS trojan is one that directs users to the smartsearch.ws homepage. On February 2, 2004 the smartsearch.ws domain name was shut down and re-directions to that site turned up blank pages. Relief was shortlived - On February 8,2004 that name was changed to MagicSearch.ws and the scumbags happily contined to distribute this trojan.
    During the period of February 11 - 14, 2004 the Merijn site as well as a few other anti-spyware sites were unacessible due to a massive DDOs attack. Updates for CoolWebShredder and other general functions of the site were unavailable. The site has since moved to new hosting to prevent a re-occurance of the problem. All old links should work unless directly referenced by an IP address.

    Aliases:

    Depending on the anti-virus solution used, the CoolwebSearch trojan may or may not be detected under any a variety of names. Following is a list of some aliases utilized by different anti-virus programs. ** Please note that I am not 100% confident that the list below is accurate for all variants of CoolWebSearch. Based on the descriptions available I suspect that they are. If you have updated information about whether or not the following are variants of CoolWebSearch please let me know.**:

    Win32.Startpage.C
    Trojan.Win32.StartPage.d
    Trojan:Win32/StartPage.C
    Troj/StartPageD
    W32/Linkadd.A (Norman)
    JS.CSSPopup.B
    JScript/IEstart.Trojan
    Win32/IEstart.Trojan
    SPYW_COOLWEB.A
    Exploit-ByteVerify
    Java/Shinwow.F.Blackbox.Trojan
    JS.Exception.Exploit
    Trojan.Bootconf
    Trojan.Qhosts.A
    Trojan.Qhosts.B
    JAVA_BYTEVER.A
    JS_FORTNIGHT.B
    JAVA_JJBLACK.C
    Trojan.ByteVerify

    How do you get it?


    As this particularly nasty little program has grown in complexity its ability to insinuate itself on your PC has grown along with it. Although at one time CoolWebSearch was little more than a nuisance and a fake stylesheet recent strains have proved to be more difficult to both detect and remove. Currently it is suspected that CoolWebSearch is distributed by pop-up ads which exploit known security holes in Microsoft Windows. A good description of this exploit is provided by Merijn.org:

    This is a growing family of trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.

    The variants of this trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry.

    As a result the best prevention you have against this program is keeping up to date with the security patches and updates availble from Microsoft.

    Details:


    CoolWebSearch uses the trojan program to redirect users to various affiliate sites. At this time the following sites are known to be affiliated with well known strains of CoolWebSearch:

    193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, alfa-search.com, allhyperlinks.com, activexupdate.com,approvedlinks.com, bannedhost.net, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwebsearch., coolwwwsearch., couldnotfind.com, defaultsearch.net, dev.ntcor.com, drvvv.com, ehttp.cc , ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, globesearch.com, gonnasearch.com, gratis-porn-movie.com, hardloved.com, idgsearch.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, luckysearch.net, madfinder.com, martfinder.com, mature50.com, mommykiss.com, mywebsearch.net, nkvd.us, noblindlinks.com, nocensor.com, ok-search.com, omega-search.com, pedo.ws, runsearch.com, search-2003.com, search2004.net, search.thestex.com, search.xrenoder.com, searchdesire.com, searchdot.net, searchnow.ws, searchv.com, searchxp.com, sharempeg.com, sixroads.com, slawsearch.com, slotch.com, smart-finder.biz, start-space.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, therealsearch.com, tooncomics.com, topsearcher.com, umaxsearch.com, unipages.cc,vrape.hardloved.com web-search.tk, white-pages.ws,windoww.cc, xwebsearch.biz , youfindall.com, youfindall.net, yourbookmarks.info, and yourbookmarks.ws
    (*Some sites from the above list provided by SpyWareInfo.)

    Although this list seems extensive, the domain names above are only a partial listing. At the present time over 1000 domains are known to be affiliates.

    Mike & Charlie ...

    "Payment is one option that isn't negotiable. Merchants require it for purchases ...SO DO WE."

  2. #2
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Bump ....anyone hear of these guys?

    Mike & Charlie ...

    "Payment is one option that isn't negotiable. Merchants require it for purchases ...SO DO WE."

  3. #3
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    767
    Lots of these keyword hustlers.... yes, Mike, most likely another BHO.

  4. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. You can clone your cat for $50,000
    By oranges in forum Midnight Cafe'
    Replies: 6
    Last Post: October 11th, 2004, 01:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •