focusbase - 27% Detection Rate *

Did you just run into a download or a file on your computer that has a digital signature from focusbase? Some of the security products refers to the detected files as Focusbase.C90 and Adware/BrowserFox. The detection rate for the focusbase files collected here is 27%. Please read on for more details.

You will typically see focusbase when running the file. The publisher name shows up as the "Verified publisher" in the UAC dialog as the screengrab shows:

Screenshot where focusbase appears as the verified publisher in the UAC dialog

You can also view the focusbase certificate with the following procedure:

  1. Open Windows Explorer and locate the focusbase file
  2. Right-click on the file and select Properties
  3. Click on the Digital Signatures tab
  4. Click the View Certificate button

Here is a screenshot of a file that has been digitally signed by focusbase:

Screenshot of the focusbase certificate

As you can see in the screenshot above, Windows states that "This digital signature is OK". This means that the file has been published by focusbase and that the file has not been tampered with.

If you click the View Certificate button shown in the screenshot above, you can see all the details of the certificate, such as when it was issued, who issued the certificate, how long it is valid, etc. You can also examine the address for focusbase, such as the street name, city and country.

VeriSign Class 3 Code Signing 2010 CA has issued the focusbase certificates. You can also view the details of the issuer by clicking the View Certificate button shown in the screenshot above.

focusbase Files

The following are the focusbase files I've gathered, thanks to the FreeFixer users.

Detection RatioFile Name
19/54focusbasebho.dll
14/55updatefocusbase.exe
22/54{2b929fe1-284b-4766-afb9-19b0915b99b0}gw.sys
1/54{c8905eec-9eab-447c-84a8-9e864d454523}gw.sys
9/54{2b929fe1-284b-4766-afb9-19b0915b99b0}w.sys
7/53{2b929fe1-284b-4766-afb9-19b0915b99b0}gw64.sys
4/51{2b929fe1-284b-4766-afb9-19b0915b99b0}gw64.sys
10/54{2b929fe1-284b-4766-afb9-19b0915b99b0}gw64.sys
12/54{2b929fe1-284b-4766-afb9-19b0915b99b0}gw64.sys
12/55{2b929fe1-284b-4766-afb9-19b0915b99b0}gw64.sys
29/53focusbasebho.dll
11/54focusbasebho.dll
9/54{2b929fe1-284b-4766-afb9-19b0915b99b0}t.sys
9/55{2b929fe1-284b-4766-afb9-19b0915b99b0}gt64.sys
31/54focusbasebho.dll
1/53{2b929fe1-284b-4766-afb9-19b0915b99b0}w64.sys

Scanner and Detection Names

Here's the detection names for the focusbase files. I have grouped the detection names by each scanner engine. Thanks to VirusTotal for the scan results.

ScannerDetection Names
AVGBrowseFox.F, Focusbase.C90
AVwareYontoo (fs), Trojan.Win32.Generic!BT, Adware.SwiftBrowse
Ad-AwareGen:Variant.Adware.BHO.Agent.4, Adware.Mplug.DC
AgnitumPUA.Yotoon!, Trojan.BPlug!, PUA.Agent!, Riskware.Agent!
AntiVirAPPL/BrowseFox.Gen2
Antiy-AVLGrayWare[AdWare:not-a-virus,HEUR]/MSIL.Kranet, GrayWare[AdWare:not-a-virus]/Win32.Agent
Baidu-InternationalAdware.Win32.BrowseFox.focu, Adware.Win32.BrowseFox.bO
BitDefenderGen:Variant.Adware.BHO.Agent.4, Adware.Mplug.DC
ClamAVWin.Adware.Swiftbrowse-79, Win.Adware.Swiftbrowse-8
ComodoApplication.Win32.Altbrowse.AK, TrojWare.Win32.AltBrowse.IZZV
DrWebTrojan.BPlug.17, Trojan.BPlug.123, Trojan.BPlug.141, Trojan.BPlug.117
ESET-NOD32a variant of Win32/BrowseFox.F, a variant of Win32/BrowseFox.H, a variant of Win64/BrowseFox.R, a variant of Win32/BrowseFox.O
EmsisoftGen:Variant.Adware.BHO.Agent.4 (B), Adware.Mplug.DC (B)
F-ProtW32/A-dd00b781!Eldorado, W64/A-7883d091!Eldorado
F-SecureGen:Variant.Adware.BHO.Agent.4, Adware.Mplug.DC
FortinetAdware/Agent
GDataGen:Variant.Adware.BHO.Agent.4, Adware.Mplug.DC
Ikarusnot-a-virus:AdWare.Win32.Agent, PUA.BrowseFox, AdWare.SpadeCast
JiangminAdWare/Yotoon.l, AdWare/Yotoon.m
K7AntiVirusUnwanted-Program ( 00454f261 )
K7GWTrojan ( 050000001 )
Kasperskynot-a-virus:AdWare.Win32.Agent.ahbx, not-a-virus:HEUR:AdWare.MSIL.Kranet.heur
KingsoftWin32.Troj.Agent.ah.(kcloud), Win32.Troj.Generic.a.(kcloud)
MalwarebytesPUP.Optional.FocusBase.A
McAfeeArtemis!727802C73DBF, Artemis!27FD31B7E7DF, Artemis!57493352C11F, Artemis!943AFB13EB84, Artemis!76D05886FD97, Artemis!DD786C38247C
McAfee-GW-EditionArtemis, Artemis!57493352C11F, Artemis!76D05886FD97, BehavesLike.Win64.Suspicious.qh, Artemis!DD786C38247C
MicroWorld-eScanGen:Variant.Adware.BHO.Agent.4
NANO-AntivirusRiskware.Win32.Agent.crkvek, Riskware.Win32.Yotoon.ddghtt, Trojan.Win32.BPlug.dcxxfx
PandaTrj/Chgt.D, Adware/BrowserFox, Trj/CI.A
Qihoo-360Win32/Virus.Adware.e4c, HEUR/Malware.QVM30.Gen
SUPERAntiSpywareAdware.BrowseFox/Variant
SophosGeneric PUA IE, BrowseSmart, Generic PUA MB, Generic PUA KL
SymantecYontoo.C
TrendMicro-HouseCallSuspicious_GEN.F47V0826, Suspicious_GEN.F47V0706, Suspicious_GEN.F47V0724, Suspicious_GEN.F47V0730, Suspicious_GEN.F47V0812, Suspicious_GEN.F47V0621, Suspicious_GEN.F47V0627
VBA32AdWare.Win64.Yotoon
VIPREYontoo (fs), Trojan.Win32.Generic!BT, Adware.SwiftBrowse
ZillyaAdware.Agent.Win32.9068, Adware.Yotoon.Win64.1, Adware.Yotoon.Win64.3
nProtectTrojan-Clicker/W32.Agent.249632.B

* How the Detection Percentage is Calculated

The detection percentage is based on the fact that I've collected 1083 scan reports for the focusbase files. 295 of these scan results came up with some sort of detection. You can review the full details of the scan results by examining the files listed above.

Analysis Details

The analysis has been done on certificates with the following serial numbers:

Comments

No comments posted yet.

Leave a reply