Spyware and adware rogues' gallery

These spyware and adware mischief-makers have taken root on more than their share of hard disks. Symptoms include performance and compatibility problems, not to mention continuous pop-up invasions.

1: Name: CoolWebSearch

Aliases: CWS

Actions: CWS has more than three dozen variants, with new variants being released almost weekly. Typically, CWS blocks access to popular search engines and redirects users to coolwebsearch.com or other off-brand search sites. Entering incorrect or incomplete URLs results in users getting redirected to adult sites or obscure search sites. It adds links -- often to hardcore pornography sites -- to browser favorites/bookmarks menus. It also pops up ads -- again often for hardcore sites -- and changes default start pages to adulthyperlinks.com, allhyperlinks.com, or other ad-heavy directories or adult sites.

Security issues: CWS program code is remotely updated, apparently from a server in Russia. Some variants add CWS’ servers to Internet Explorer’s Trusted Sites list, enabling program code -- not limited to CWS code -- to be installed or altered without permission. Some variants collect and transmit personally identifiable information back to CWS servers.

Other issues: CWS severely impacts infected computer’s performance. Software may freeze or crash, especially Internet Explorer. IE performance is noticeably slowed, particularly page scrolling. Microsoft tech support has had reports of computers locking up, crashing, and rebooting repeatedly due to CWS issues.

Transmission method: More than 1,000 domains are known to be affiliates of CWS. Affiliates get paid per referral/click-through to coolwebsearch.com. Users visiting any one of the affiliate sites may install CWS software by careless clicking on a pop-up or other ad. CWS has apparently been installed without user knowledge or permission via unpatched IE security holes.

2: Name: Xupiter

Aliases: OrbitExplorer(latest Xupiter variant)

Actions: Xupiter launches pop-up ads, changes default home pages, redirects mistyped or incomplete URLs to affiliate sites, redirects search requests to off-brand search sites, and adds Xupiter links to bookmarks/favorites. Xupiter blocks any attempts to restore the original browser settings or to delete Xupiter favorites.

Security issues: Xupiter’s privacy policy notes that Xupiter -- or its partners -- may deliver programming fixes, updates, and upgrades via automatic updates. “Users” are also advised that conflicts may occur with other applications and that Xupiter will determine what those applications are so that the company can resolve these conflicts whenever possible. Several versions of Xupiter appear to download other programs such as gambling games onto affected computers.

Other issues: Technical support representatives at Microsoft’s help center say Xupiter has odd effects on Windows XP, making it impossible for some users to open directories such as My Computer on infected computers.

Transmission method: Xupiter is installed via an Internet Explorer toolbar program. Some users claim toolbar was installed without their permission on unpatched versions of IE. Toolbar may be downloaded via Web sites, links in spam advertising a “Free Christian Toolbar” or a pop-up blocker program, or via links in pop-up ads.