CWS

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Recommendations ·
· Detection and Removal ·
· Research ·

Overview

Summary:

Alias:

Category:

Hijacker: Any software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker.

Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.

Dialer: Software that dials a phone number. Some dialers connect to local Internet Service Providers and are beneficial as configured. Others connect to toll numbers without user awareness or permission.

Downloader: A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site.

Dropper: In viruses and trojans, the dropper is the part of the program that installs the hostile code onto the system.

Homepage Hijacker: Any software that changes your browser's home page to some other site. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

Nuker: A program that disables a machine through damage to the registry, key files, the file system, etc.

Toolbar: A group of buttons which perform common tasks. A toolbar for Internet Explorer is nomally located below the menu bar at the top of the form. Toolbars may be created by Browser Helper Objects.

Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.

Variants:

Similar Pests:

Origins

Group:

By This Group:

Mailing Address:

URL:

Programming Language:

Date of Origin:

Distribution

Prevalence:

Clot Factor:

The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.

Growth:

Operation

Platform:

Exploit:

To see if you are vulnerable, on the taskbar at the bottom of your screen:
click Start
click Run.
In Windows 98/Me, type command; in NT/2K/XP, type: cmd
At the command prompt, type: jview
If you get 'Bad command or file name' or 'Jview' is not recognized as an internal or external command, operable program, or batch file', then you are NOT vulnerable. If Jview is found, then follow the advice at the "Prevention" heading.

Some of the .Aff variants exploit the "Microsoft VM ActiveX Component" vulnerability.: Microsoft Virtual Machine (VM) in Internet Explorer 4.x and 5.x allows an unsigned applet to create and use ActiveX controls, which allows a remote attacker to bypass Internet Explorer's security settings and execute arbitrary commands via a malicious web page or email.

Advertising:

Storage Required:

Browser Performance:

Risks

Privacy Issues:

Security Issues:

Performance Issues:

Productivity Issues:

Stability Issues:

Recommendations

Prevention:

• Update your system. Go to http://v4.windowsupdate.microsoft.com/en/default.asp
• Tune your security settings in IE to disable scripting.

Detection and Removal

Caution!!!:

Automatic Removal:

PestPatrol detects this.

PestPatrol removes this.

Manual Removal:

Research

File Analyses:

• CWS: addclass.exe ·  astctl32.ocx ·  avpcc.dll ·  bootconf.exe ·  control.exe ·  cool web search affiliate program.txt ·  cool web search affiliate program0.txt ·  coolwebsearch-info.dll ·  counterx.ex~ ·  counterx.exe ·  ctfmon32.exe ·  ctrlpan.dll ·  default.css ·  directx.exe ·  dnse.dll ·  dnse-disabled.dll ·  dnserr.dll ·  dnsrelay.dll ·  dpe.dll ·  dreplace-unpacked.dll ·  editpad.exe ·  excel10.dll ·  explore.exe ·  f22776.exe ·  filemon.log ·  fntldr.exe ·  gba1440.exe ·  gba926.exe ·  hh.htt ·  iehost.exe ·  iehost34.exe ·  ietoolbar.dll ·  ietoolbar.htm ·  ietoolbar.inf ·  install.exe ·  jehmbyxrubdb.dll ·  keymgr3.inf ·  ld.exe ·  ld.exe report.txt ·  ld.rsf ·  links.dll ·  loader.exe ·  msaomm.dll ·  msfind.exe ·  msg{c704f4e7-d57a-4fb6-9d81-fab8e6b88b0f}0115.dll ·  mshelper.dll ·  mshjlh.dll ·  msiesh.dll ·  msinfo.exe ·  mssearch.dll ·  mswsc10.dll ·  mswsc20.dll ·  msxmlpp.dll ·  msxmlppunpacked.dll ·  mtwcn32.dll ·  mtwcnl32.dll ·  mtwirl.dll ·  navext.dll ·  notepad.exe ·  oemsyspnp.inf ·  olehelp.exe ·  quicken.exe ·  regmon.log ·  rundll32.exe ·  rundll32.vbe ·  rundll32.vbs ·  search.hta ·  searchword.dll ·  soundmx.exe ·  sstyle.css ·  svchost.old ·  svchost32.exe ·  sysbj32.dll ·  systeminit.exe ·  sytem32.exe ·  tapicfg.exe ·  tips.ini ·  toolband.dll ·  toolband.inf ·  trojan.win32.madise.a.dll ·  unpacked winres.dll ·  unpacked.exe ·  wcadw.dll ·  web.exe ·  wer1306.dll ·  win.def ·  winlink.dll ·  winlogon.exe ·  winrar.exe ·  winres.dll ·  winspool.exe ·  wnscpsv.exe ·  word10.dll ·  xplugin.dll
• CWS.AddClass: addclass.exe
• CWS.Bootconf: advapi32.def ·  bootconf.asm ·  bootconf.exe ·  bootconf.txt ·  dllimport.inc ·  kernel32.def
• CWS.Dwinf: dwinf.exe ·  help_dcc.dll ·  help_ecc.dll ·  load.exe ·  valg.hta
• CWS.Excel10: excel10.dll
• CWS.Feads: dict.dat ·  iefg32.exe ·  iegr32.exe ·  ipog.dll ·  mfcgy32.dll ·  mfcuf32.exe ·  uvmjb.dll
• CWS.IEFeats: dict.dat ·  iefeatsl.new ·  iefeatures.exe ·  iefeatures.ocx ·  iefeatures2.exe ·  internetfeatures.exe ·  msiesh.dll ·  sysxd.dll ·  winshow.new
• CWS.IEFeats3: vijxg.dll
• CWS.MSConfd: msconfd.dll
• CWS.MSSearch: msiesh.dll ·  mssearch.dll ·  syspi32.dll ·  systh.dll
• CWS.Msspi: msspi.dll ·  msupdate.exe
• CWS.MSwsc10: ieak6.exe ·  ieaktext.txt
• CWS.MUpdate: msupdate.exe
• CWS.QTTasks: qttasks.exe
• CWS.Svchost32: svchost.exe

More Info:

Research By:

Last Revised: