» {bbb14e79-8bca-4abd-b124-4d30f9a4e2ad}t.sys
Overview
Analysis
File Details
Behaviors (1)

{bbb14e79-8bca-4abd-b124-4d30f9a4e2ad}t.sys

ConstaSurf

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {bbb14e79-8bca-4abd-b124-4d30f9a4e2ad}t.sys by ConstaSurf has been detected as adware by 32 anti-malware scanners. It runs as a Windows kernel mode device driver named “{bbb14e79-8bca-4abd-b124-4d30f9a4e2ad}t”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.

File name:

Publisher:

StdLib (signed by ConstaSurf)

Product:

StdLib

Version:

1.4.3.1 built by: WinDDK

MD5:

7bc483b78eb7949480067e4def6210d2

SHA-1:

05fa5f96cf60a09fdfcfb40e135358cc235a3ea0

SHA-256:

0e2acb3da92e6495fad87788ff6875d4b988fac14d4ef73bc109864e66623c92

Scanner detections:

32 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

4/26/2024 9:12:11 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.SwiftBrowse.N

358

Agnitum Outpost

PUA.Yotoon

7.1.1

AhnLab V3 Security

Win-PUP/BrowseFox.Gen

2014.10.03

Avira AntiVirus

Adware/BrowseFox.A.282

7.11.177.186

avast!

Win32:BrowseFox-AC [PUP]

2014.9-160212

AVG

Consurf

2017.0.2836

Baidu Antivirus

Adware.Win32.BrowseFox

4.0.3.16212

Bitdefender

Adware.SwiftBrowse.N

1.0.20.215

Bkav FE

W32.HfsAdware

1.3.0.6379

Clam AntiVirus

Win.Adware.Netfilter-130

0.98/20563

Comodo Security

TrojWare.Win32.AltBrowse.IZZV

21254

Dr.Web

Trojan.Yontoo.1734

9.0.1.043

Emsisoft Anti-Malware

Adware.SwiftBrowse.N

8.16.02.12.05

ESET NOD32

Win32/Komodia.A potentially unsafe application

10.7.0.302.0

F-Prot

W32/A-dd00b781

v6.4.7.1.166

F-Secure

Adware.SwiftBrowse.N

11.2016-12-02_6

G Data

Adware.SwiftBrowse

16.2.24

IKARUS anti.virus

PUA.RiskWare.NetFilter

t3scan.1.7.8.0

Malwarebytes

PUP.Optional.ConstaSurf.A

v2016.02.12.05

McAfee

Artemis!A7A42F261D94

5600.6492

MicroWorld eScan

Adware.SwiftBrowse.N

17.0.0.129

NANO AntiVirus

Trojan.Win32.BPlug.dcxxfx

0.28.2.62440

Norman

Adware.SwiftBrowse.N

11.20160212

nProtect

Adware.SwiftBrowse.N

14.10.02.01

Reason Heuristics

PUP.Yontoo.ConstaSurf (M)

16.2.12.5

Sophos

PUA 'Browse Fox'

5.15

SUPERAntiSpyware

Adware.BrowseFox

9329

Trend Micro House Call

TROJ_SPNV.03I614

7.2.43

Trend Micro

TROJ_SPNV.03I614

10.465.12

Vba32 AntiVirus

AdWare.Win64.Yotoon

3.12.26.3

VIPRE Antivirus

Trojan.Win32.Generic

33624

Zillya! Antivirus

Adware.Yotoon.Win64.2

2.0.0.1941

File size:

53.9 KB (55,232 bytes)

Product version:

1.4.3.1

Original file name:

StdLib.sys

File type:

Driver (Win32 SYS)

Language:

English (United States)

Common path:

C:\Windows\System32\drivers\{bbb14e79-8bca-4abd-b124-4d30f9a4e2ad}t.sys

Digital Signature

Signed by:

ConstaSurf

Authority:

VeriSign, Inc.

Valid from:

3/19/2014 7:00:00 AM

Valid to:

3/20/2015 6:59:59 AM

Subject:

CN=ConstaSurf, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=ConstaSurf, L=Santa Monica, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

46A82C62F93896A2C29C94EC6C4D8A3D

File PE Metadata

Compilation timestamp:

7/31/2014 2:33:58 AM

OS version:

6.1

OS bitness:

Win32

Subsystem:

Native (none required)

Linker version:

9.0

CTPH (ssdeep):

768:jYbP7EDNtMTw/RWDjR/McKV5qEXGBJgxgZ+4AOmvtnBu6+RRch2H:QP7EJSTukuzTrGYs+JNButRy8H

Entry address:

0xA73E

Entry point:

8B, FF, 55, 8B, EC, E8, BD, FF, FF, FF, 5D, E9, CA, E3, FF, FF, CC, CC, B4, A7, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 84, AB, 00, 00, 94, 90, 00, 00, A0, A7, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, BA, AB, 00, 00, 80, 90, 00, 00, AC, A7, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D6, AB, 00, 00, 8C, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, A6, AB, 00, 00, 92, AB, 00, 00, 00, 00, 00, 00, C2, AB, 00, 00, 00, 00, 00, 00, AC, A8, 00, 00, C4, A8, 00, 00, D6, A8... 
[+]

Entropy:

6.3510

Code size:

36.3 KB (37,120 bytes)

Driver

Display name:

{bbb14e79-8bca-4abd-b124-4d30f9a4e2ad}t

Type:

Kernel device driver (KernelDriver)

Group:

PNP_TDI

Remove {bbb14e79-8bca-4abd-b124-4d30f9a4e2ad}t.sys - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.