CoolWebSearch.f0r0r
Category: Trojan
Risk:
Severe Risk
* Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.
Description: f0r0r is a trojan horse that is usually hard to remove manually. Infected computers tend to have their browser hijacked - usually to a site like: http://ssearch.biz/?wmid=1010 Also slow internet connections can be expected, interuppted browsing, and the loss of use of the back button in internet explorer. A sign of infection is ppi.exe and dirote.exe running in the Task Manager's process list. The "%System%\f0r0r\" is an invisible folder that stayed invisible even when configuring the system to show hidden and system files. The directory could be viewed when booting the computer with a Linux start-up CD. f0r0r is protected by an open source NT rootkit called Hacker Defender. Hacker Defender installs a device driver which hooks the Windows API. It allows it to hide a directory with a particular name while allowing files to exist there, hide open ports from a port scanner while allowing connections to and from that port, hide processes in memory from process managers along with other cute tricks.
Alias: CoolWebSearch.SmartSearch
Signatures:
process: repcale.exe: MD5 Hash: c1612c37e650458837f
process: redroses.exe: MD5 Hash: 4f9957064ab54ac897a..
Copyright @2006 THR Computer Solutions: CoolWebSearch.f0r0r