Winamp Skin Exploit Easily Installs Spyware, Trojans, or Worms

Posted August 26, 2004 by MickeyMouse in Windows

Winamp versions 3.x and 5.x can be exploited to run in an executable program embedded in the Winamp skin. The following tutorial explains how such exploits work and how to turn them off.


Winamp skin files can be created that place and run programs embedded in the Winamp skin. With Internet Explorer, this can occur without requiring user intervention. Yes, any malicious html code could automatically run the exploit without the user’s knowledge.

This works because the html code can be generated that sends the user a Winamp skin zip file (*.wsz). Due to winamp’s installation methods, IE will accept this and pass it directly to winamp. Winamp is then exploited to run the executable which installs the spyware or trojan.

Winamp 2, Winamp 5 lite, and Winamp installed without “Modern Skin Support” selected should not be affected.

Uninstalling Winamp, of course, solves the problem.

Renaming or deleting gen_ff.dll should turn off “Modern Skin Support” and close the exploit. This file can typically be found here:

Program Files\Winamp\Plugins\gen_ff.dll

When Winamp is updated to fix this exploit, I will post the url in the comments.

Addendum:
Download version 5.05 to fix the bug…
http://www.winamp.com/player/

The Conversation

Follow the reactions below and share your own thoughts.