May 2, 2007

Putting the zing back in sting …

Recently, I’ve been running across a supposedly new compression format over and over again. The format? WinZix or rather, .ZIX files. The name and the extension seems to indicate that they are trying to capitalize on WinZip’s popularity and market share. Their website claims that they have the "ultimate compression". The truth? Now that’s a bit more tricky :p

When I first heard about WinZix, being the software junkie that I am, I was tempted to download it and try it out. However, the name and the way it was branded made me hesitate. I decided to check it out first. There wasn’t much online about WinZix though. There were people claiming that it contained trojans and that it messed up their systems. There were others claiming that it didn’t compress any files at all and in fact, it increased the size of a file that was compressed with it. However, these were all claims made on the Net and you know how that goes :p

So, I downloaded a .ZIX file myself – not the program but a file supposedly compressed with WinZix. I then opened the file in a hex editor and noticed that it had a file header which identified it as a WinZix file. But what was more interesting was to see a ZIP file header a few bytes further in from the WinZix file header 🙂

Now, most files contain a file header (or a signature) which identifies the file type and allows the corresponding program to determine whether it’s a file format that the program works with. I knew the ZIP signature since I’d worked with ZIP files before. Being paranoid by nature, a thought flashed into my mind at this point – what if the WinZix folks weren’t actually compressing files but taking standard Zip files and wrapping it with a new header so that WinZip (or any other program working with Zip files) will not see it as a Zip file?

I decided to test out this theory. I deleted the first six or seven bytes from the WinZix file, removing the WinZix header but leaving the ZIP header/signature intact. I then tried to open the file in WinRAR (which supports ZIP format) and it opened up fine and I was able to extract the contents of the ZIP file.

So there you have it 🙂 WinZix is really a phoney. It doesn’t actually compress any files and certainly might have trojans or backdoor programs or viruses embedded in. Or it might simply be a way to cash in on people’s gullibility and make some cash since apparently they do say that they include adware in their EULA. Whatever else it might be, a compression program it is not :p

15 Responses to Putting the zing back in sting …

Subscribe to comments with RSS

#1
Gravatar Image
k 03 May 2007 at 8:04 am

Hi Fahim,
this was a very cool post. It explained what ZIX was and saved me from downloading it. So, I did have a winZIX file that I wanted to open, but as my technical skills with a computer are shameful, I couldn’t understand how you deleted the first few bytes and then managed to open it without a ZIX header. Thanks 🙂
K

#2
Gravatar Image
Fahim 03 May 2007 at 8:12 am

You need to use a hex editor to do this 🙂 I used UltraEdit which is my text editor of choice since it also has a hex edit mode. You simply open up the file in your hex editor and it will show each and every byte for the WinZix file. You will notice that at the beginning of the file (about 6-10 characters in) that there is a “PK”. That is the ZIP file marker. So delete everything from the beginning of the file up to the “PK” and save the file and you should be fine. Of course, make a backup before you make any changes in case something goes wrong 🙂

#3
Gravatar Image
Syren 03 May 2007 at 3:19 pm

Not zip file here. I got a zix file myself. There was no zip file inside. I tried a simple “let i=0; while [ $i -lt 1000 ]; do dd if=thezixfile of=testfile bs=1 count=100 skip=$1 >/dev/null 2>&1; file testfile|grep -v testfile: data; let i+=1; done”. Changed the 1000 to 20000 later. Definatly no known archive is this zix-file (just a couple of false recognitions from the file command due to 2 byte magic numbers).

#4
Gravatar Image
Fahim 03 May 2007 at 3:33 pm

Well, it would depend on what sort of file was originally wrapped by WinZix 🙂 Based on comments by other folks online, it appears as if WinZix by default does not compress anything – if you give it a 700k file, it results in a 701k file. So no compression. It probably takes whatever original file it was (ZIP, RAR, AVI whatever) and adds the WinZix header. Unfortunately, I don’t have WinZix installed (nor am I going to :p) and so can’t test out this theory further …

#5
Gravatar Image
Syren 03 May 2007 at 4:02 pm

Hmm, if it just adds a header then the file i got here just contains garbage. Could you tell me exactly how many bytes until the offset of the zip header in your file? And yes, installin this thing using wine with an unpriliged account didnt result in much. Nothing happend after the “open file” dialog. Cant see why a compression program would require functionality not offered by wine.

#6
Gravatar Image
Fahim 03 May 2007 at 4:22 pm

Sorry, took a little while to find a ZIX file and download it since I’d already deleted the original I tested. In this particular file, which contains a ZIP file, the offset is 11 bytes. I get the following before the ZIP header:
5A 49 58 7C BD 01 00 00 00 00 00

The first three are just “ZIX” and I believe the next numbers are probably the file size or something. I thought it might be the full file size or just the file size minus the header but it does not appear to be the case – at least, not the size in bytes. But it probably is something like that …

#7
Gravatar Image
Syren 03 May 2007 at 8:46 pm

Back from work 😀
Just checked the zix file i have at offset 11. The file command does not recognise it as anything. But the first post i wrote already checked offsets 1-1000. Acording to the nfo files in the torrent it should contain a bin and cue file. Obviously this zix stuff is a scam (why put compressed file within a compressed file [ zix wihting rar ]? hmm, at least other than creating smaller file chunks).

#8
Gravatar Image
Fahim 03 May 2007 at 9:20 pm

Yeah, looks as if it might be mostly fakes. Another person who tried removing the Zix header had no luck either and I’ve only had success with this one file. Haven’t tried downloading anything else though since I really don’t want to spend the time or the bandwidth on it. They probably simply put any old junk up for download as Zix files because all they’d really want is for people to install WinZix …

#9
Gravatar Image
Beetlebum 07 May 2007 at 10:12 pm

thanks for this info. Tried removing the tag but didn’t work the file I got must be a fake. Thanks again.
BB

#10
Gravatar Image
Fahim 08 May 2007 at 7:12 am

It begins to look more and more as if the one file I was able to retrieve might have been a fluke. If anybody else has a fairly small ZIX file (around 1-2MB) that they want me to check, please feel free to e-mail it to me. Also let me know what the internal file is supposed to be if it’s not evident from the file name 🙂 I’ll take a look and see if I can figure out what’s there …

#11
Gravatar Image
Petunjuk 08 May 2007 at 10:56 am

Hi,

There are some torrent files spreading around, claiming to be the latest of Pirates of The Carribean. The premiere should be in May 25, so how can be? All of the torrents are uploaded by guest account, contains a rar, which itself contains a zix file.

So, I have this 700 MB zix file. It has no ZIP header inside, but it contains this string:

Pirates of the Caribbean – At World’s End (2007) 20th PROPER TELESYNC KvCD Hockney(TUS Release).uha4

rar –> zix –> uha4

WTH? what next?

It also contains these strings:

freeprodtb.exe

hxxp://med**ia.mat**cash.com/too**lbar/free**pro**dtb.e**xe

Remove the **. (I don’t want to litter your blog with the link, since I suspect freeprodtb.exe is a MALWARE)

This and with other comments I’ve found so far:

http://forums.whirlpool.net.au/forum-replies-archive.cfm/727567.html
http://forums.techguy.org/security/567228-hijack-log-posted-installed-winzix.html

I conclude that zix format is a MALWARE scam.

#12
Gravatar Image
Fahim 08 May 2007 at 11:05 am

Yeah, freeprodtb.exe appears to be adware/spyware/malware based on what I’ve found online. I’ve seen both the forum posts you mention and I agree, WinZix is definitely not on the up and up – it’s either just a scam or malware for certain. Of course, with only one file to work with at my end, I can’t be certain. And I certainly don’t want to download a several hundred MB torrent to experiment :p So I guess I’ll just leave things be …

#13
Gravatar Image
Abhinav 08 May 2007 at 4:09 pm

Hi
Thanks for the info
I thought that if you can open it in WinRAR after removing the zix header, you might be able to do it without removing
So I right clicked this zix file and chose “Open With” and opened it with WinRAR
And it worked!
So you might wanna edit your post and inform people that zix can be opened in winRar with the open with function of windows

I really didnt want to download zix because it install this advertisment stuff

#14
Gravatar Image
Fahim 08 May 2007 at 4:19 pm

You’re right, I just tested and my test WinZix file can be opened with WinRAR if I do so explicitly and the internal file is a format supported by WinRAR 🙂

Usually, WinRAR will detect the file signature of the selected file and give you the option to open the file in the context menu. But this doesn’t happen with ZIX files since the signature is different. However, if you select the Open With … option from the context menu and select WinRAR, as long as the file inside is ZIP or RAR or some other format supported by WinRAR, it seems to open up fine. However, this does not mean that all WinZix files can be opened correctly with WinRAR 🙂

#15
Gravatar Image
fenwar 10 May 2007 at 12:46 pm

Thanks for posting this tip, just downloaded the latest episode of Lost and found it had a .zix extension. A quick Google and you confirmed my suspicions!

In this case I was able to remove the ZIX header from what was actually an AVI file.

There was also some junk at the end of the file after a bunch of zero bytes, including an URL from announce.winzix.com, which I was able to safely delete.

Anyway thanks again for the tip.

Leave a response

:mrgreen: :neutral: :twisted: :shock: :smile: :???: :cool: :evil: :grin: :oops: :razz: :roll: :wink: :cry: :eek: :lol: :mad: :sad: