winzip180.exe

WinZip 18

WinZip Computing

This is the installation and setup package for WinZip, a file compression/decompression utilitiy that has a GUI to zip interface. The installer might bundle additional software offers during setup including the AVG browser toolbar. The application winzip180.exe by WinZip Computing has been detected as a potentially unwanted program by 5 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from c04.files.inst.avg.com. While running, it connects to the Internet address inst.avg.com on port 80 using the HTTP protocol.
Publisher:
WinZip Computing  (signed and verified)

Product:
WinZip 18

Description:
WinZip 18 Setup

Version:
1,19,0,3503

MD5:
46f894121ba43508942e31f0b2841590

SHA-1:
a37a171d272453c18a567675258752f0f4b2c8f5

SHA-256:
2d90c25626f664bbec7e2ca9277038c7e07485baf6d59b929ef39fcf07195b0f

Scanner detections:
5 / 68

Status:
Potentially unwanted

Explanation:
The setup program might include offers for additional software during installation.

Analysis date:
11/24/2024 2:09:01 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Downware.1923
9.0.1.019

Emsisoft Anti-Malware
Trojan.Generic.10143455
8.14.01.19.02

ESET NOD32
Win32/OpenInstall (variant)
8.9290

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.14102

Sophos
4.96

File size:
410.9 KB (420,768 bytes)

Product version:
1,19,0,3503

Copyright:
Copyright © 2013

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\winzip180.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/16/2012 3:00:00 AM

Valid to:
4/14/2014 2:59:59 AM

Subject:
CN=WinZip Computing, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WinZip Computing, L=Mansfield, S=Connecticut, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5E4842AC9691630B45F8266C0ADB1206

File PE Metadata
Compilation timestamp:
9/11/2013 4:01:43 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
6144:DPEVT/DlxGmVQhlzYBH1PBrj+qCkeHX0h1Db5lugnuz3aJkx5DGG:D+DfPVQhlzi5leMD7ul3CkxRGG

Entry address:
0x1000

Entry point:
55, 8B, EC, 81, EC, 1C, 04, 00, 00, 53, 56, 57, BE, CC, 30, 40, 00, 8D, BD, E4, FB, FF, FF, A5, A5, A5, 6A, 7E, 66, A5, 59, 33, C0, 8D, BD, F2, FB, FF, FF, F3, AB, 66, AB, BB, 04, 01, 00, 00, 53, 8D, 85, E4, FB, FF, FF, 50, FF, 15, 5C, 30, 40, 00, 66, 83, A5, EC, FD, FF, FF, 00, 33, C0, B9, 81, 00, 00, 00, 8D, BD, EE, FD, FF, FF, F3, AB, 66, AB, 8D, 45, FE, 50, 8D, 85, EC, FD, FF, FF, 50, 8D, 85, E4, FB, FF, FF, 50, C7, 45, F8, FD, FF, FF, FF, C6, 45, FE, 00, E8, 45, 01, 00, 00, 83, C4, 0C, 84, C0, 74, 15...
 
[+]

Entropy:
7.7055

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file winzip180.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to oi.cloud.avg.com  (204.193.144.33:80)

TCP (HTTP):
Connects to inst.avg.com  (204.193.144.89:80)

Remove winzip180.exe - Powered by Reason Core Security