If the reader is a regular on an antispyware board, you know about CoolWebSearch 
and the trials their "affiliates" have put the antispyware community through since 
June of 2003. However, thanks to the dedicated crew of researchers, each new strain 
has had a fix developed and applied - in some cases, CWShredder by Merijn Bellekrom;
in others, manual removal was necessary.

There have been strains with symptoms that were from .hta files. Some strains used
executables that launched on startup in order to ensure that their hijack would
stay on the victim's system. Yet others drop Browser Helper Objects, which are
hard to remove with the current tools outside of BHODemon and HijackThis.

The most insidious strain - up until about May 10th, 2004 - was the real-yellow-pages
strain. It used a DLL file that hooked into the Explorer shell instead of hooking
into Internet Explorer, and as such, it took a while to find and identify to kill.
As such, this strain is one that still requires manual removal, due to the fact
that it requires a PV.ZIP/runme.bat log to find the DLL responsible.

In short, the actions of the CoolWebSearch affiliates of late are engineered purely
to escape detection. They seem to have no other goals; they merely place a hijack,
then try to hide themselves deep in the shell or in Internet Explorer.

Needless to say, they have failed at their task.

However, the current flavor of CWS leaves a decidedly nasty taste in the victim's
mouth. Outhost.info has seen fit to include a vile program called Hacker Defender
with its strain of CWS. Hacker Defender is a rootkit for Windows-based machines.
(A rootkit is a piece of software that can give remote attackers total control over
a machine while hiding itself quite well from the victim.) As usual, Linux, other
Unix derivatives, and the Mac OS are immune.

This was a novel approach to CWS in that it utilized a publicly-available
piece of software in order to hide its own hijacks; as opposed to hooking into
a specific process, it created its own and then hid that from the OS. The rootkit
then hid the process by hooking any calls to the OS about that and killing those
that could be considered to work against the rootkit or the item it defended,
hence the name "Hacker Defender."

The processes that the CWS variant created were visible in some HijackThis log's
O4 entries. However, these logs could only be created in Safe Mode/VGA Mode, as
HijackThis and several other antispyware programs were forcibly closed by the
rootkit's actions when they were launched in the victim's normal runtime mode.

There was one weakness about Hacker Defender: it left a file called hxdefdrv.sys
visible. This showed the files that were hidden, and from there, one could reboot
into Safe Mode and kill the files completely using TheKillBox.

If the victim is on a FAT32 filesystem, he or she could boot to a command prompt
and delete the files through that. If the system is a dual-boot machine, the victim
could boot to the other OS and kill the files through that without issues.

It was not always that simple. Some people had to use the Recovery Console to forcibly
kill the processes (Hacker Defender runs as a hidden service; "net stop hackerdefender100"
will stop the service) and compare their list of services to the normal list.

A fix was developed about three days after the first log surfaced. This fix
has been disseminated.

In regards to Outhost.info, the author took it upon himself to investigate.

Using Network Solutions's WHOIS tool, he determined that the DNS entries were
forged. Supporting evidence here was the twelve-digit phone number to a New York
State line; however, the country code started with "0" as opposed to the United
States' "1" country code. The address was also obviously falsified, as was the
zip/postal code.

On his attempts to access Outhost.info, the author found that the proprietors
had blocked all attempts to load the following URL into browsers:

http://www.outhost.info

Instead, the server would return a message stating that the connection was
refused, as it pointed requests for that domain to localhost (127.0.0.1). 
A subdomain was needed, and indeed, any six random letters would work as the 
subdomain. For example:

http://udksek.outhost.info

Would result in a valid search page with "Cool Web Search" as the title, whereas
any subdomain with numbers in it would result in a refused connection.

The author used Steve Gibson's IDSERVE tool and Sam Spade in order to obtain 
and trace the server's IP address, which resolves to the Russian ISP linkey.ru. 
It would be interesting to nvestigate possible Russian Mafia connections, but 
that is outside the author's sphere of investigation, and he has no such resources.

In summation, outhost.info's version of CWS is the most dastardly to date, and
is easily the most sophisticated. If the reader or one of the reader's friends
suspects that he or she is infected by this software, please obtain a copy
of HijackThis and post a log in an antispyware forum. A list of recommended 
antispyware forums can be found at this address:

http://www.a-sap.org

- June 7th, 2004
  Tuxedo Jack
  Trusted Advisor, Spywareinfo.com Forums
  "Never forgive the bad ones."

Appendices:

Spam Spade tracert log:

06/08/04 17:35:25 Fast traceroute 213.159.117.194
Trace 213.159.117.194 ...
 1 xx.xxx.xxx.xxx   15ms   31ms   16ms  TTL:  0  (adsl-xx-xxx-xxx-xxx.dsl.hstntx.swbell.net ok)
 2 151.164.11.189   15ms    0ms    0ms  TTL:  0  (dist2-vlan60.hstntx.swbell.net ok)
 3 151.164.11.230    0ms   31ms   16ms  TTL:  0  (bb1-g1-2-0.hstntx.swbell.net ok)
 4 151.164.188.5     0ms   16ms   16ms  TTL:  0  (core1-p6-1.crhstx.sbcglobal.net ok)
 5 151.164.188.98   47ms   47ms   31ms  TTL:  0  (core2-p1-0.crhstx.sbcglobal.net ok)
 6 151.164.240.114   0ms   47ms   47ms  TTL:  0  (core1-p11-0.cratga.sbcglobal.net ok)
 7 151.164.241.86   47ms   15ms   16ms  TTL:  0  (core2-p8-0.cratga.sbcglobal.net ok)
 8 151.164.241.93   16ms   78ms   15ms  TTL:  0  (core2-p11-0.crhnva.sbcglobal.net ok)
 9 151.164.191.102  63ms   31ms   46ms  TTL:  0  (bb2-p4-0.hrndva.sbcglobal.net ok)
10 151.164.40.53    31ms   62ms   31ms  TTL:  0  (ex2-p11-0.eqabva.sbcglobal.net ok)
11 151.164.248.54   46ms   31ms   46ms  TTL:  0  (asn5511-france-telecom.eqabva.sbcglobal.net ok)
12 193.251.243.117  16ms   31ms   31ms  TTL:  0  (P9-0.OAKCR2.Oakhill.opentransit.net ok)
13 193.251.243.81   15ms   32ms   32ms  TTL:  0  (P3-0.OAKCR1.Oakhill.opentransit.net ok)
14 193.251.243.169  93ms  109ms  109ms  TTL:  0  (P0-0.AUVCR1.Aubervilliers.opentransit.net ok)
15 193.251.243.218  93ms  109ms  109ms  TTL:  0  (P0-0.AUVCR2.Aubervilliers.opentransit.net ok)
16 193.251.132.73  109ms  125ms  141ms  TTL:  0  (So0-0-0.FFTCR1.Frankfurt.opentransit.net ok)
17 193.251.129.90  110ms  140ms  157ms  TTL:  0  (P11-0.COPBB2.Copenhagen.opentransit.net ok)
18 193.251.240.81  125ms  157ms  140ms  TTL:  0  (P9-0.COPBB1.Copenhagen.opentransit.net ok)
19 193.251.240.154 156ms  218ms  156ms  TTL:  0  (P9-0.STHBB1.Stockholm.opentransit.net ok)
20 193.251.249.222 141ms  188ms  187ms  TTL:  0  (ENSYSEquantRussia3.GW.opentransit.net bogus rDNS: host not found [authoritative])
21 212.176.255.41  172ms  171ms  172ms  TTL:  0  (Petersburg10-F0-0-0.RoSprint.net ok)
22 195.151.242.185 172ms  219ms  172ms  TTL:  0  (LINKEY-gw.rosprint.net bogus rDNS: host not found [authoritative])
23 213.159.96.54   172ms  188ms  156ms  TTL:  0  (96.54.linkey.ru ok)
24 213.159.117.194 172ms  188ms  172ms  TTL: 42  (No rDNS)

Network Solutions WHOIS log:

Domain ID:D5903458-LRMS
Domain Name:OUTHOST.INFO
Created On:29-Apr-2004 22:25:54 UTC
Last Updated On:28-May-2004 21:51:00 UTC
Expiration Date:29-Apr-2006 22:25:54 UTC
Sponsoring Registrar:R170-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C4655653-LRMS
Registrant Name:Idoo Menson
Registrant Organization:OutHost Company
Registrant Street1:Sisco str.329 office.152
Registrant City:NewYork
Registrant State/Province:us
Registrant Postal Code:507207
Registrant Country:US
Registrant Phone:+0.072640597
Registrant FAX:+0.072640597
Registrant Email:out@outhost.info
Admin ID:C4655654-LRMS
Admin Name:Idoo Menson
Admin Organization:OutHost Company
Admin Street1:Sisco str.329 office.152
Admin City:NewYork
Admin State/Province:us
Admin Postal Code:507207
Admin Country:US
Admin Phone:+0.072640597
Admin Email:out@outhost.info
Billing ID:C4655656-LRMS
Billing Name:Idoo Menson
Billing Organization:OutHost Company
Billing Street1:Sisco str.329 office.152
Billing City:NewYork
Billing State/Province:us
Billing Postal Code:507207
Billing Country:US
Billing Phone:+0.072640597
Billing Email:out@outhost.info
Tech ID:C4655655-LRMS
Tech Name:Idoo Menson
Tech Organization:OutHost Company
Tech Street1:Sisco str.329 office.152
Tech City:NewYork
Tech State/Province:us
Tech Postal Code:507207
Tech Country:US
Tech Phone:+0.072640597
Tech Email:out@outhost.info
Name Server:NS1.SMARTDNS.ORG
Name Server:NS2.SMARTDNS.ORG

IDServe logs:

Initiating server query ...
Looking up IP address for domain: udksek.outhost.info
The IP address for the domain is: 213.159.117.194
Connecting to the server on standard HTTP port: 80
[Connected]  Requesting the server's default page.
The server returned the following response headers:
HTTP/1.1 200 OK
Date: Tue, 08 Jun 2004 22:41:04 GMT
Server: Apache/1.3.29 (Unix) PHP/4.3.5RC3 mod_ssl/2.8.16 OpenSSL/0.9.7a rus/PL30.19
X-Powered-By: PHP/4.3.5RC3
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
Query complete.

Initiating server query ...
Looking up the domain name for IP: 213.159.117.194
(The domain name for the specified IP address could not be found.)
Connecting to the server on standard HTTP port: 80
[Connected]  Requesting the server's default page.
The server returned the following response headers:
HTTP/1.1 200 OK
Date: Tue, 08 Jun 2004 22:36:28 GMT
Server: Apache/1.3.29 (Unix) PHP/4.3.5RC3 mod_ssl/2.8.16 OpenSSL/0.9.7a rus/PL30.19
X-Powered-By: PHP/4.3.5RC3
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
Query complete.