1. /
  2. Security Response/
  3. Adware.CWSAlfaSearch

Adware.CWSAlfaSearch

Updated:
February 13, 2007 11:41:22 AM
Type:
Adware
Publisher:
CoolWebSearch
Risk Impact:
High
File Names:
msupdate.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.CWSAlfasearch is executed, it performs the following actions:

  1. Adds the values:

    "Start Page" = "[URL on the domain alfa-search.com]"
    "Use Search Asst" = "No"
    "Search Page" = "[URL on the domain alfa-search.com]"
    "Search Bar" = "[URL on the domain alfa-search.com]"

    to the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

    to change the Internet Explorer start page and search page settings.

  2. Adds the values:

    "(Default)" =
    "[URL on the domain alfa-search.com]"
    "provider" = "god"

    to the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL

    to change the Internet Explorer search page settings.

  3. Adds the value:

    "SearchAssistant" =
    "[URL on the domain alfa-search.com]"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

    to change the Internet Explorer search page settings.

  4. Adds the following lines to the Windows hosts file to redirect certain Web sites to the IP address 216.200.3.32:

    216.200.3.32     thehun.net
    216.200.3.32     www.thehun.net
    216.200.3.32     thehun.com
    216.200.3.32     www.thehun.com
    216.200.3.32     worldsex.com
    216.200.3.32     www.worldsex.com
    216.200.3.32     sexocean.com
    216.200.3.32     www.sexocean.com
    216.200.3.32     easypic.com
    216.200.3.32     www.easypic.com
    216.200.3.32     free6.com
    216.200.3.32     www.free6.com
    216.200.3.32     al4a.com
    216.200.3.32     www.al4a.com
    216.200.3.32     thumbnailpost.com
    216.200.3.32     www.thumbnailpost.com
    216.200.3.32     drbizzaro.com
    216.200.3.32     www.drbizzaro.com
    216.200.3.32     hoes.com
    216.200.3.32     www.hoes.com
    216.200.3.32     absolut-series.com
    216.200.3.32     www.absolut-series.com
    216.200.3.32     elephantlist.com
    216.200.3.32     www.elephantlist.com
    216.200.3.32     ah-me.com
    216.200.3.32     www.ah-me.com


  5. Creates 4 adult-oriented shortcuts in the Internet Explorer Favorites menu, called [Random file name].url.

    The Favorites folder is located in one of the following locations:
    • %UserProfile%\Favorites (Win NT-based operating systems such as Windows 2000 or XP)
    • %Windir%\Favorites (Win 9x-based operating systems such as Windows 95/98/Me)

      Notes:
    • %Userprofile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP)or C:\Winnt (Windows NT/2000).


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver