home

{f1620f27-1d71-456a-878a-996942b94131}gw.sys

Mountain Bike

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {f1620f27-1d71-456a-878a-996942b94131}gw.sys by Mountain Bike has been detected as adware by 25 anti-malware scanners. It runs as a Windows kernel mode device driver named “{f1620f27-1d71-456a-878a-996942b94131}Gw”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by Mountain Bike)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
39c1ff61c84cc3ca4ee5b88f30b1372d

SHA-1:
82e284d6a1648b3440c27388fb9038d9420e002f

SHA-256:
4dcd6f0ccb7c8f4e53ff8cffac63f389d8106aceb89dc5c778c59ec0a2f441ac

Scanner detections:
25 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/26/2024 8:35:35 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.BrowseFox.V
617

Agnitum Outpost
PUA.BrowseFox
7.1.1

Avira AntiVirus
ADWARE/BrowseFox.A.1227
3.6.1.96

AVG
Generic
2016.0.3095

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.15528

Bitdefender
Adware.BrowseFox.V
1.0.20.740

Bkav FE
W32.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Netfilter-134
0.98/21511

Comodo Security
TrojWare.Win32.AltBrowse.IZZV
21588

Dr.Web
Trojan.Yontoo.1742
9.0.1.0148

Emsisoft Anti-Malware
Adware.BrowseFox.V
8.15.05.28.05

ESET NOD32
Win32/NetFilter.A potentially unsafe (variant)
9.11398

Fortinet FortiGate
Riskware/NetFilter
5/28/2015

F-Prot
W32/S-a7161e1c
v6.4.7.1.166

F-Secure
Adware.BrowseFox.V
11.2015-28-05_5

G Data
Adware.BrowseFox
15.5.25

K7 AntiVirus
Unwanted-Program
13.202.15424

McAfee
Artemis!39C1FF61C84C
5600.6751

MicroWorld eScan
Adware.BrowseFox.V
16.0.0.444

nProtect
Adware.BrowseFox.V
15.03.30.01

Reason Heuristics
PUP.Yontoo.MountainBike
15.5.28.17

Sophos
Generic PUA IC
4.98

Vba32 AntiVirus
AdWare.Zaitu
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic
38896

Zillya! Antivirus
Backdoor.CPEX.Win32.29350
2.0.0.2121

File size:
42.1 KB (43,152 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win32 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{f1620f27-1d71-456a-878a-996942b94131}gw.sys

Digital Signature
Signed by:
Mountain Bike

Authority:
VeriSign, Inc.

Valid from:
1/10/2015 10:00:00 PM

Valid to:
1/11/2016 9:59:59 PM

Subject:
CN=Mountain Bike, O=Mountain Bike, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
25B97080EDAA57F7AD57607CEEA9C13E

File PE Metadata
Compilation timestamp:
3/29/2015 9:10:11 AM

OS version:
6.1

OS bitness:
Win32

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:SN0457WBZwpHs63E+X7BIrTsCEziDH+JgrVJddIgv:GhUcpH/0+LCf7EziDHhdR

Entry address:
0xA03E

Entry point:
8B, FF, 55, 8B, EC, E8, BD, FF, FF, FF, 5D, E9, 20, 70, FF, FF, CC, CC, 94, A1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, CE, A4, 00, 00, E0, 80, 00, 00, B4, A0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 24, A5, 00, 00, 00, 80, 00, 00, EC, A0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, A4, A9, 00, 00, 38, 80, 00, 00, C4, A0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 9C, AA, 00, 00, 10, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, FC, A4, 00, 00, 10, A5, 00, 00, E8, A4...
 
[+]

Code size:
28 KB (28,672 bytes)

Driver
Display name:
{f1620f27-1d71-456a-878a-996942b94131}Gw

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


Remove {f1620f27-1d71-456a-878a-996942b94131}gw.sys - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.