New WinZix version in the wild

I have encountered yet another spawn of the spyware-ridden WinZix installer.

The worrisome part is, my antivirus package (AVG from Grisoft) doesn’t find anything harmful inside (although you can bet the farm it’s most decidedly harmful), even with a day-fresh virus DB update.

I think this is because the installer is a NET 2.0 binary, and uses a different kind of executable code (called MSIL, for MicroSoft Intermediary Language), which is different from standard machine code.

The details are as follows:

File Name: WinZix.EXE
File Size: 1098 406 bytes
MD5 Checksum: c70d34eb6a9e93a0cecfcb7888aece81

It was encountered in a torrent on TPB: House.SE0402.HDTV.XviD-Caph

Poking around inside with a hex editor, I discovered that the installer required administrative privileges to run, which is bad news. If it manages to run as a computer administrator, it can do plenty of nasty stuff to the computer without you ever knowing about it.

People who have found this blog are naturally smart enough not to ever run anything named WinZix. Then again, new users are coming to the peer-to-peer arena every day, and many of those arent’ familiar with this spyware.

I haven’t done any further investigation yet; I must have a sandboxed computer which I can sacrifice in order to execute the installation and see what nastiness happens.

Thanks to alert user Mike for pointing me onto this one.

Join the conversation


Your email address will not be published. Required fields are marked *

  1. Thanks for the tip, Dan. I’ve heard of it, but mainly in conjunction with Linux. I didn’t know a Windows version was available. I’ll check it out first chance I get.

  2. You said that you need a sandbox computer. Have you tried using VMWare or similar emulation software? I’ve used VMWare for a long time and never had any trouble with it. The virtual machine is completely isolated and whatever s*** runs in it cannot harm your computer.

  3. just wanted to say thanks for the unzixwin, I used it to decode a supposed smallville episode and all it was was the same 10 seconds of crap over and over again for 40 min. I’d have been really pissed if I had actually installed all their crap and the file turned out to be that. Actually, pissed is not a good enough adjective to descibe the state I’d be in. So, thanks, again. art