home

{b900e7a3-fcd1-47c1-b115-fd395e151eb6}w64.sys

Lampy Lighty

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {b900e7a3-fcd1-47c1-b115-fd395e151eb6}w64.sys by Lampy Lighty has been detected as adware by 24 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{b900e7a3-fcd1-47c1-b115-fd395e151eb6}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by Lampy Lighty)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
1a93351de20414b1546b3cf4ab39b72d

SHA-1:
b4875ffed2b5a3ac14a69b717085532e44778d6e

SHA-256:
b9ea72b4013e900113f3684201bae27af0fb3424e10602d9c9cf5b00ffc1bf61

Scanner detections:
24 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/25/2024 9:58:39 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.CH
705

Agnitum Outpost
Riskware.Agent
7.1.1

AVG
Generic
2016.0.3183

Baidu Antivirus
Adware.Win64.BrowseFox
4.0.3.1532

Bitdefender
Adware.SwiftBrowse.CH
1.0.20.305

Clam AntiVirus
Win.Adware.Swiftbrowse-497
0.98/21511

Dr.Web
Tool.NetFilter.313
9.0.1.061

Emsisoft Anti-Malware
Adware.SwiftBrowse.CH
8.15.03.02.03

ESET NOD32
Win64/BrowseFox.CC (variant)
9.11082

Fortinet FortiGate
Adware/BrowseFox
3/2/2015

F-Prot
W64/A-59c9c70a
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.CH
11.2015-02-03_2

G Data
Adware.SwiftBrowse.CH
15.3.25

K7 AntiVirus
Adware
13.192.14775

Malwarebytes
Adware.SwiftBrowse
v2015.03.02.03

McAfee
Artemis!1A93351DE204
5600.6839

MicroWorld eScan
Adware.SwiftBrowse.CH
16.0.0.183

NANO AntiVirus
Riskware.Win64.NetFilter.dmocfi
0.30.0.65070

nProtect
Adware.SwiftBrowse.CH
15.01.27.01

Reason Heuristics
PUP.Yontoo
15.3.2.3

Trend Micro House Call
Suspicious_GEN.F47V0118
7.2.61

Trend Micro
HS_BROWSEFOX.SM
10.465.02

VIPRE Antivirus
Trojan.Win32.Generic
37018

Zillya! Antivirus
Adware.Yotoon.Win64.14
2.0.0.2047

File size:
47.6 KB (48,792 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{b900e7a3-fcd1-47c1-b115-fd395e151eb6}w64.sys

Digital Signature
Signed by:
Lampy Lighty

Authority:
VeriSign, Inc.

Valid from:
8/5/2014 1:00:00 AM

Valid to:
8/6/2015 12:59:59 AM

Subject:
CN=Lampy Lighty, O=Lampy Lighty, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
7781DD1C520C847A823706BB0C57BEB8

File PE Metadata
Compilation timestamp:
1/18/2015 1:33:01 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:lP7G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD36vt:9FID6EGnLA8AFJTNEVmDE

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{b900e7a3-fcd1-47c1-b115-fd395e151eb6}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.