1. /
  2. Security Response/
  3. Adware.CoolWebSearch

Adware.CoolWebSearch

Updated:
February 13, 2007 11:39:02 AM
Type:
Adware
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.CoolWebSearch is executed, it performs the following actions:
  1. Copies itself as %System%\Services\<executed filename>.

    Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following entry in the file %Windir%\System.ini:

    [windows]
    load=%sysdir%\services\<executed filename>


  3. Adds the value:

    "xpsystem"="%System%\services\<executed filename>"

    to the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    so that the adware runs when Windows is started.

  4. Adds the value:

    "run"="%Sysdir%\services\<executed filename>"

    to the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    so that the adware runs when Windows NT/2000/XP is started.

  5. Registers itself as a Browser Helper Object, by adding the subkey:

    {5321E378-FFAD-4999-8C62-03CA8155F0B3}

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

    and setting multiple values in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5321E378-FFAD-4999-8C62-03CA8155F0B3}

  6. Adds the values:

    ProxyEnabled = 0
    MigrateProxy = 1
    ProxyEnabled = 0


    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings

  7. Adds the value:

    ProxyBypass = 1
    IntranetNames = 1
    UNCAIntranet = 1

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\ZoneMap

  8. May redirect search queries made in Microsoft Internet Explorer to an advertising Web site.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver