WoAI Installer “v2.5” – Important Update

Contrary to the previous article posted here yesterday, it appears that the “new version” of WoAI’s installer is, in fact, a fake file that potentially contains malware components (i.e. software designed to attack or compromise your computer).

The file has now been removed from Avsim and news of the fake release has been posted at the WoAI forums this morning (24/01/12).

5 3 votes
Article Rating
Oldest Most Voted
Inline Feedbacks
View all comments
David Hanstater
Wednesday, January 25, 2012 17:03

It’s not a false positive, but a real Trojan. It managed to switch off my “View Hidden Files” option, and installed a registry item and an .exe file. I don’t know what it might have tried to do to my computer, but fortunately Malwarebytes found it and quarantined it. Even when I reset “view hidden files” my search of my whole HD failed to find the .exe file, so somehow the author managed to find a way to hide it, although MalwareBytes did find it. Neither Microsoft Essentials nor Avast Anti-virus full edition detected it. I think it is important… Read more »

Ian P
Wednesday, January 25, 2012 17:43

You’re a bit late to the party, David, sorry. As the article states and I corrected yesterday, the file has been pulled from Avsim’s library when the malware’s presence was confirmed – although the AV companies don’t seem to have decided what to call it yet, as everyones’ AV is calling it something different. However the malware only showed up once the exe file was run (Avast did detect it on others’ PCs – have you checked your software version?) rather than when downloading or just opening the zip file. Simmerhead: It’s a very popular freeware file. 607 downloads when… Read more »

Tuesday, January 24, 2012 11:37

What is the world coming too. Who on earth would bother to attack a tiny freeware product?

Ian P
Tuesday, January 24, 2012 08:48

Edited by Ian P 10:30, 24/01/12 I just downloaded and checked it with AVAST (version 6.0.1367, defs 120123-1) on this notebook and that reported it as clear when downloading and opening the zipfile. When you attempt to run the executable, it is at that point that the “trojan” seems to be reported. However the name reported for the “trojan” does not seem to be consistent, thus implying that while it is probably infected with malware, it is quite probably a “tweaked” version of existing code or entirely new code. None of the names I’ve been provided with have come up… Read more »

Flavio Cardoso
Tuesday, January 24, 2012 00:42

my antivirus (AVAST) put the file in quarentine too indicating infection by trojan Win32:Kryptyk-GQX [Trj]

Deleted by now. Ver.2.4 is working ok!

Monday, January 23, 2012 23:43

ok, well noted. I will re-check this issue. Thanks