ScamWatch

You’ve got to hand it to me. For two weeks I’ve had an article about the Divocodec scam on my web site, and absolutely no links or nothing pointing to it; in fact I forgot even to tell anybody about it. How’s that for efficient information flow?

In case you encounter an AVI file which shows you a screen telling you do download the DivoCodec, first read this. It may save you some grief.

Off course, anyone who is familiear with the 3wPlayer scam would instantly recognize this as ‘more of the same’.

UnZixWin can decode DivoCodec files as well. Note, however, that it may take two passes.

I have encountered yet another spawn of the spyware-ridden WinZix installer.

The worrisome part is, my antivirus package (AVG from Grisoft) doesn’t find anything harmful inside (although you can bet the farm it’s most decidedly harmful), even with a day-fresh virus DB update.

I think this is because the installer is a NET 2.0 binary, and uses a different kind of executable code (called MSIL, for MicroSoft Intermediary Language), which is different from standard machine code.

The details are as follows:

File Name: WinZix.EXE
File Size: 1098 406 bytes
MD5 Checksum: c70d34eb6a9e93a0cecfcb7888aece81

It was encountered in a torrent on TPB: House.SE0402.HDTV.XviD-Caph

Poking around inside with a hex editor, I discovered that the installer required administrative privileges to run, which is bad news. If it manages to run as a computer administrator, it can do plenty of nasty stuff to the computer without you ever knowing about it.

People who have found this blog are naturally smart enough not to ever run anything named WinZix. Then again, new users are coming to the peer-to-peer arena every day, and many of those arent’ familiar with this spyware.

I haven’t done any further investigation yet; I must have a sandboxed computer which I can sacrifice in order to execute the installation and see what nastiness happens.

Thanks to alert user Mike for pointing me onto this one.

A quick note to those who want to install UnZixWin 0.0.9 mentioned below:

During the installation process, you may get asked whether you want to replace your current version of a certain DLL with an older one from the installation.

Your gut reaction, off course, is to click ‘no’. And that is precisely what you should do, especially if you’re running Vista.

The DLLs in question do not affect the operation of UnZixWin, so do not need to be the version included in the installer. Keeping your current DLLs is the sensible thing to do. Replacing them should do no harm, but don’t take the chance.

In case UnZixWin doesn’t work on your particular ZIX or AVI file, the cause will be either that the file is damaged or garbage, or a bug somewhere in my code. It has nothing to do with DLL versions. Get in touch with me for help determining the cause of the problem.

Cause:
The development machine I used to create the setup package runs on Windows XP, and I’ve since discovered that the latest service pack hadn’t been properly installed when I created the setup package. Boy is my face red!

WinVista uses newer DLLs and those should be used instead. Even XP users should be wary of DLL replacement.

Resolution:
The setup package containing the outdated DLLs are already in circulation beyond my control (that is how BitTorrent works). So I can’t change that, only the package on my site (which I’ll be doing very shortly).

Crap like this is why I didn’t want to create a setup package to begin with.

Fellow scambuster Jim Dunn has alerted me to a new trend of AVI scammers.

If you get an AVI file which shows you this message:

This is, off course, just another variation of the 3wPlayer scam. The same people responsible for 3wPlayer scam has added another trick to their bag. They’re double-encoding 3wPlayer files and calling them DivoCodec.

In other words, the scammers are too lazy to invent a new scam format. They’re just using their old tools twice on the same file, this time appending a new image to the AVI.

WARNING:

In case you are new to all this: do not under any circumstances download the ‘codec’. In fact, don’t even go to that website mentioned. The codec contains malicious spyware for sure, and the website might record your IP address and target you for hacking.

Bittorrent users with a bit of experience know this, off course. They’ve seen the 3wPlayer scam before, and the Vodei scam before that.

Solution:

Jim discovered if that if you run this AVI file thorugh UnZixWin 0.0.9,
you get a standard 3wPlayer encoded file. Running that through UnZixWin
0.0.9 will get you the original, unencoded file. Off course, that may not be the one you were promised (april fools!), but any old AVI which seemed large enough to be plausible.

In short, use UnZixWin twice and see what you get.

Thanks, Jim!

The new version, which handles the new ZIX format, is now finally available for download.

ZIP version (4.79 MB)

Bittorrent file (so you can share the burden of uploading)

Sorry about dragging my feet this last week, folks. As a small token of gratitude for your patience, I went ahead and added support for 3w-encoded AVI files.

Thus, if your’e unlucky enough to encounter another ZIX archive, or another encrypted AVI file, this utility should be all you need.

Cheers!

//NeverShaveYourDuck

First of all, apologies for churning out these blog entries at such a snail pace. I had intended to write up the DRM scam sooner, but considered it a fringe thing. Good thing I was slow on the draw with this one, though, because it has proven to be more serious than I thought, and I would have exacerbated the problem by downplaying the risk.

Embarrassingly, I seem to be the last one to get the message. This has been known to many for years. But hey, if it was news to me, it might be for you as well. So here’s more on it:

The DRM Scam defined:

Internet users frequently encounter a WMV (Windows Media Video) or WMA (Windows Media Audio) file which they’ve downloaded perhaps by way of BitTorrent.

Upon trying to play this file, they encounter a message from Windows Media Player stating that a minor security upgrade is required. This has to do with Digital Rights Management, and is a clear signal to the savvy that “You’re about to be charged for viewing this”. Myself, being a cheapskate, I bail out at this point.

What is supposed to happen otherwise is, that once the security upgrade is taken care of, you’ll be whisked away to some web site where you can purchase a “token” or a “licencse” to view the protected content. In other words, bring out your VISA card, or your wallet, or your PayPal, or whatever you use to pay for stuff online. After that, you’re supposed to be able to view the file, but only on that computer, and usually only for a limited amount of time. Your purchased right to view the content does not travel with the file; nor does it persist forever.

I discarded this as a ‘Pseudo-scam’, designed merely to make a quick buck out of inexperienced users. A P.T. Barnum quote is called for here, but I won’t digress.

However, it must be categorized as a scam, because the origninators of the DRM-protected file don’t actually own the material proffered, but have pirated it from somebody who does. In other words, you’ll be paying your hard-earned cash to the wrong people. If you’re gonna have to fork over your dough, do it to the ones who are legally entitled. Not to some scam artist.

The DRM Threat

What I failed to realize, and to know, was that this scam isn’t just about making a quick buck, but is actually another vehicle for infesting your computer with spyware.

Others have already done a great job of describing the threat for me, so I refer you to this immensely useful article: WMP Adware: A Case Study In Deception

Read the whole thing, and note the presence of numerous links pointing to other articles dealing with this threat. Depending on your configuration of Windows platform and version of Media Player, you could be susceptible to vulnerabilites. Following the links, you also become aware of Microsoft’s stubborn refusal to deal with a security hole they alone are responsible for creating.

I would therefore make the following suggestions:

Use an alternative media player, such as VLC or Media Player Classic. These players don’t honor the embedded DRM links, but simply try to play the encrypted content (VLC) or report “Could Not Render The File” (MPC). Make sure you asosciate the WMA and WMV extensions (hell, asosciate all of them, for all I care) with one of these players, so that you don’t inadvertently launch Media Player by double-clicking on a downloaded file.

Never, ever, under any circumstances, accept the premise to pay for stuff you’ve downloaded for free. Never respond yes to any dialog which prompts you to install anything in response to trying to play a media file, whatever it be. Not only are you being taken, your computer might be as well.

Prior to last week, users encountering ZIX archives have been able to find information on WinZix in Wikipedia. This was an invaluable source of information, and it included warnings about the spyware in WinZix and links to damage reports as well as remedies for those affected. I was able to contribute in a small way with corrections about the nature of the file format and in particular the specifics of the metadata block inside.

However, this article is now history. A certain user, whose motives struck me as fishy, considered the article “not noteworthy”, and submitted it for deletion.

In the heated discussion that ensued about the validity of the article, the user who considered it “not noteworthy” proved himself impervious to any arguments to the contrary. Said arguments included the very real threat that spyyware-infested trojan apps like WinZix poses to the internet community. All fell to deaf, and apparently very dumb ears.

Consequently, as of this weekend the WikiPedia article on WinZix is now history, as is the discussion leading up to its deletion. I would point you to it (and I did, in my article on the Zix format, supplied with my UnZixWin utility), but it’s gone the way of the dodo. The stub telling about its demise is here.

This is a loss to all those who will now not benefit from the knowledge amassed about WinZix and how to deal with the problems it causes. True, there are plenty of other places on the net which a Google search will turn up that warns about the problems.

However, I think it’s a sad state of affairs that the great Wikipedia can be subjected to badly motivated censorship by anyone with an axe to grind. The free-for-all nature of the site’s approach to editing and quality control isn’t always optimal. In particular in this case I found the reasons for deleting the article fishy indeed, and highly question the motives for doing so. Can it be that said user have personal stakes in the success and proliferation of WinZix?

Oh, well. Where Wikipedia fails, sites such as this one must pick up the torch. I don’t intend to stop warning people about these spyware-riddled scams anytime soon. Indeed, I must pick up the pace on getting my full website online. This blog is a useful tool, but not quite how I want to organize things.

Jump for joy!

Thanks to a few alert users who pointed me to a certain ZIX archive online, I hit paydirt. This archive contained multiple files and a folder hierarchy, which was all I needed to complete the puzzle. I have now dissected the new format almost completely.

As a consequence, I’ve been able to update UnZixWin to handle the new format in a reliable and stable way, beating a few of my fellow hackers to the punch.

Unfortunately, the new version of UnZixWin requires support from a few external COM components, which need to be installed and registered. Which is why I had to cave in and finally create a setup package. Oh well, it was really only a matter of time.
On the upside, I can finally add some UI features (toolbars, a proper status bar, listview, treeview) which makes the utility look like a real application and not just like a noob hack. That was long overdue.

All those who have gotten in touch with me will receive a mail with a torrent file which they can use to download the new version of UnZixWin. I’ll naturally also post the torrent on a few select tracker sites (if you found this page, chances are you frequent them.)

A web page dedicated to the UnZixWin utility wiill soon be sited here. Those of you just joining the party can download the software from that page.

A full description of the new format will be found here.

Coming up:

The layout and encryption (such as it is) of the 3w-encoded AVI files (more on them under the Common Scams category) has been cracked. It isn’t particularly complex, either.
Therefore, I’ll shortly add functionality to UnZixWin to open and decode 3w-encoded AVIs as well. Look for that in version 0.1.0 or thereabouts.