MsgPlusDriver.sys

Messenger Plus! Virtual Camera

Kimahri Software inc.

This adware uses the Crossrider platform to build and distribute this web browser advertising injection extension. Once installed in the browser it will hijack various browser settings (homepage, search) and may interfere and track behaviors as well as deliver ads. The file MsgPlusDriver.sys, “MsgPlusDriver WDM Driver” by Kimahri Software inc has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a Windows 64-bit kernel mode device driver named “Messenger Plus! Virtual Camera”. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
Yune Software  (signed by Kimahri Software inc.)

Product:
Messenger Plus! Virtual Camera

Description:
MsgPlusDriver WDM Driver

Version:
5, 5, 0, 761 built by: WinDDK

MD5:
3c1440dd26e8e2bf9b69a65402611c8c

SHA-1:
765dd3448ee095e43a966655f0eff0c6ed94234f

SHA-256:
21ee0e4f74358b5f613f49226aac38392ad285d60302e6ca84bec6e794f340c9

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
7/7/2020 9:40:01 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.KimahriSoftwareinc.Q
14.3.2.13

File size:
95.9 KB (98,192 bytes)

Product version:
5, 5, 0, 761

Copyright:
(c) Yuna Software, All rights reserved.

Original file name:
MsgPlusDriver.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\msgplusdriver.sys

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
6/20/2012 9:00:00 PM

Valid to:
6/21/2013 8:59:59 PM

Subject:
CN=Kimahri Software inc., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Kimahri Software inc., L=Montreal, S=Quebec, C=CA

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
07C63B61BAA996BF90FF340CD94B17DA

File PE Metadata
OS bitness:
Win64

CTPH (ssdeep):
1536:WXm+06HA9zl7EDDnDDtDDI4DDDbDDD1Do5h15iMSxSDDDDDDDLDDDDDDDeTDDDDF:omwA9zlERwRIq6

Entry point:
8B, FF, 55, 8B, EC, E8, BD, FF, FF, FF, 5D, E9, 64, BA, FE, FF, CC, CC, D4, 57, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 68, 59, 01, 00, B4, 2C, 00, 00, A0, 57, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 76, 59, 01, 00, 80, 2C, 00, 00, B0, 57, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 7C, 5A, 01, 00, 90, 2C, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 26, 58, 01, 00, CA, 58, 01, 00, B6, 58, 01, 00, 00, 00, 00, 00, 00, 5A, 01, 00, A6, 59, 01, 00, 1E, 5A, 01, 00, 3E, 5A...
 
[+]

Driver
Display name:
Messenger Plus! Virtual Camera

Service name:
MsgPlusDriver

Type:
Kernel device driver (KernelDriver)


Remove MsgPlusDriver.sys - Powered by Reason Core Security