I have encountered yet another spawn of the spyware-ridden WinZix installer.

The worrisome part is, my antivirus package (AVG from Grisoft) doesn’t find anything harmful inside (although you can bet the farm it’s most decidedly harmful), even with a day-fresh virus DB update.

I think this is because the installer is a NET 2.0 binary, and uses a different kind of executable code (called MSIL, for MicroSoft Intermediary Language), which is different from standard machine code.

The details are as follows:

File Name: WinZix.EXE
File Size: 1098 406 bytes
MD5 Checksum: c70d34eb6a9e93a0cecfcb7888aece81

It was encountered in a torrent on TPB: House.SE0402.HDTV.XviD-Caph

Poking around inside with a hex editor, I discovered that the installer required administrative privileges to run, which is bad news. If it manages to run as a computer administrator, it can do plenty of nasty stuff to the computer without you ever knowing about it.

People who have found this blog are naturally smart enough not to ever run anything named WinZix. Then again, new users are coming to the peer-to-peer arena every day, and many of those arent’ familiar with this spyware.

I haven’t done any further investigation yet; I must have a sandboxed computer which I can sacrifice in order to execute the installation and see what nastiness happens.

Thanks to alert user Mike for pointing me onto this one.