» winzipper_update_setup_1.5.137.1044.exe
Overview
Analysis
File Details
Downloads (1)

winzipper_update_setup_1.5.137.1044.exe

Winzipper

The application winzipper_update_setup_1.5.137.1044.exe, “standard installer” has been detected as a potentially unwanted program by 8 anti-malware scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. The file has been seen being downloaded from t.qihutechs.com.

File name:

Product:

Winzipper

Description:

standard installer

Version:

1.5.137.1044

MD5:

029f226380e3c59812213d7c7d11088e

SHA-1:

505e07977e4837a2efee5576301d9de548db9b88

SHA-256:

7157b3136968ce86a537063b6f939a5d7ece415309faf9b40b9cec286f55ee04

Scanner detections:

8 / 68

Status:

Potentially unwanted

Explanation:

The file is infected by a polymorphic file infector virus.

Analysis date:

1/13/2025 1:39:15 AM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:SaliCode

160708-3

AVG

Win32/Sality

2015.0.4591

Emsisoft Anti-Malware

Win32.Sality

16.07.18

ESET NOD32

Win32/Sality.NBA virus

8.0.319.0

F-Prot

W32/Sality.gen2

4.6.5.141

Kaspersky

not-a-virus:Downloader.Win32.Elex

15.0.0.562

Microsoft Security Essentials

Threat.Undefined

1.225.1578.0

Norman

Win32.Sality.3

19.05.2016 01:04:49

File size:

2.9 MB (2,990,704 bytes)

Product version:

1.5.137.1044

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\winzipper_update_setup_1.5.137.1044.exe

File PE Metadata

Compilation timestamp:

4/10/2010 5:19:23 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

49152:6sCjUERtoZWGiLFd3wz1Yrunqhs32/DwsGQ9BKzt9sCwhLi2rc1UT+9gd2:6sm/qWTTgqhUg0Bwg2I+T+O2

Entry address:

0x33E9

Entry point:

FE, C0, F2, 84, FB, 24, C6, 3A, F1, EB, 05, F6, C3, 33, B5, 32, 6B, C0, 00, 8D, 0D, 3A, 12, DB, E5, 0F, AF, F5, C7, C7, 0F, 32, BF, 48, F3, 0F, B6, F9, 2A, EC, 86, CB, C7, C6, 43, 46, 1D, 85, 05, 0C, FB, FF, FF, 81, FA, 1E, 9D, 00, 00, 76, 06, F7, C7, 4F, 95, 1C, EA, 05, F5, 04, 00, 00, 69, EA, E6, FD, CD, 55, 31, C2, 1A, C8, 32, D3, 81, F5, 3C, 03, B1, 52, 3D, 29, 04, 00, 00, 0F, 8C, AE, FF, FF, FF, 74, 02, B6, 26, 76, 02, B1, 90, E8, 18, 00, 00, 00, 84, CD, 0F, B6, CC, 86, EE, 84, D6, 86, EE, 86, E5, 69... 
[+]

Entropy:

7.9974 (probably packed)

Code size:

25 KB (25,600 bytes)

The file winzipper_update_setup_1.5.137.1044.exe has been seen being distributed by the following URL.

http://t.qihutechs.com/update/new.2.0/wz/1.5.137/.../winzipper_update_setup_1.5.137.1044.exe

Remove winzipper_update_setup_1.5.137.1044.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.