I checked last night and at least the downloads from and DownloadBestSoft were genuine. Future releases of WDS will be signed with an Authenticode certificate, so it will also make it harder to trojanize WinDirStat. check that their hashes match what is expected. Now I don’t have the time to investigate into what exactly this thing is doing, but it bears all the hallmarks of malware and therefore from my perspective that file isn’t a false positive. Holy moly, Batman! Someone actually trojanized WinDirStat and it looks like EPO 4 just from a brief look.Īgain, this file is named windirstat.exe and to the naked eye it looks like the Unicode build from the 1.1.2 installer, but in actuality this is a trojanized version of the genuine file. text:004471B4 hPrevInstance = dword ptr 8Īnd when I did the same on the trojanized file it looked like this.
Windirstat 1.1.2 pro#
So I loaded the genuine file into IDA Pro and the entry point looked like this.
Windirstat 1.1.2 code#
The size matched, the timestamp in the PE header matched, just some things like the sections and a whole lot of code or data had been changed in the middle of the file.
And what struck me was that all external traits shown by this file matched closely the Unicode build from the 1.1.2 installer.
Windirstat 1.1.2 archive#
Now I didn’t have that file in my release archive so I asked for the file 3 and was then able to look at the actual trojanized file. It turned out that the file aforementioned Swedish user had inquired about wasn’t under detection, but another file with the MD5 hash a84aad50293bf5c49fc465797b5afdad. So I got a contact for the malware research at MalwareBytes and was able to inquire about the file. We’ve had this before, but this time it was a slightly different case. That is the installer with the following two cryptographic hashes 2: I assumed false positive and it turned out that it was at least for the particular file that the Swedish user had (SHA1: 26e14a532e1e050eb20755a0b7a5fea99dd80588) 1 – which was the genuine file from the genuine version 1.1.2 installer.
Now, the report I got from a WinDirStat user from Sweden (thanks again!) was that MalwareBytes had detected WDS once again. WinDirStat grants you valuable stats about your storage, its functional interface and comprehensive features making it easy to use, whilst also providing enough functionality for just about anyone.Well, actually it isn’t the genuine WinDirStat but a trojanized version posing as WinDirStat and it’s masquerading under the disguise of the good Unicode version of windirstat.exe which is contained in the installer. The integration it has with the extension list makes it so that you can ascertain more easily what types of files take up the most of your storage. The bigger files will take up more space on the visualizer, and by clicking on the respective element, you'll be taken right to its directory.
Thanks to the structured view it provides, you can better visualize the contents on your drives. Occupying the bottom part of the layout entirely, the Treemap can perhaps be deemed the highlight feature of this program. png files that were sitting comfortably in the bin.
To build upon that, the extension list provided an additional way to be even more efficient: we found out that we had about 1 GB of. This way, we found that we had a lot of files in the Recycle Bin that we hadn't yet deleted, yet were still taxing our overall storage quite a bit. Here, you also have the option to launch a command prompt in a specific file's location, right from the app. The directory list offers details about the space your files and folders occupy on your hard disks, structured in a branchlike layout. The layout is structured like so: you have the directory and extension lists at the top, with the Treemap just below them. The design here isn't much to write home about. Functional interface in an open-source app That is why you may find using WinDirStat, an open-source app, to be worthwhile: visualize the apportionment of your storage in various ways, through the directory and extension lists, or via the Treemap. That's because even smaller files, when numerous, can occupy a large chunk of your storage.įinding out the files taxing most of your storage is another thing entirely. And most of the time, you hardly notice until you actively look for it. Your drives will fill up over time, bit by bit.