First case of a real virus infection on wine
Stefan Dösinger
stefandoesinger at gmx.at
Sat Dec 9 07:41:09 CST 2006
Hi,
Seems like I just got the victim of the first infection of a windows virus on
wine :-( . I got infected with some virus called W32.Parite.B.
Unlike most of the biests out there it is a real virus that attaches itself to
existing .exe files, not a stand-alone worm. I caught it yesterday on a small
private gaming session. I didn't have Warcraft 3 installed, so instead of
installing and messing with patches I would have had to download I decided to
copy an existing installation over. That seemed to work fine at first :-/
What we noticed pretty fast was that at least 3 windows boxes were infested
with a bunch of malware, and trying to infect each other over network shares.
The virus alert messages popping up made playing impossible. The obvious
solution: Disable the virus scanners.
So with the protection disabled those windows boxes were able to play,
everything seemed to work fine. I noticed that something was wrong when my
Battlefield 1942 crashed, which worked a few hours before when tested for
regression in my new patches. ClamAV showed up a W32.Parite.B infection in
bf1942.exe.
That virus wasn't only in bf1942.exe, I found it in the war3 installation I
copied over too. Looks like it came from there. I found it in all .exe files
on my fake C:\ drive, except of our fake .exe's in C:\windows\system32. Looks
like it didn't like those. Next I had a look at my real windows installation
mounted in /media/windows, and found it infected too. Well, that was easy to
clean up with a mkfs because I didn't have anything valueable in there. Well,
the thing that is rather bad is that it infected my downloaded game demos and
other files on my home drive. Luckily I didn't have my external hard drive
with the rest of my stuff attached when I ran wine.
So I've now deleted my wine installation, windows installation and all .exe
files on my disk. I'm scanning my whole linux drives to be sure, but I didn't
run wine as root and I'm confident that the Linux file security prevented the
worst problems.
To summarize, I got into the trouble mainly because I ignored the basic
security guidelines. I ran executables from a really not trustworthy source,
knowing that my friends' windows boxes are in a bad shape quite often. My
real windows installation got infected because I had it world writeable for
no real reason. On the bright side, running as a least priviledged user
prevented the worst problems.
If anyone wants to play around with that virus, I kept my infected
GenuineCheck.exe :-)
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.winehq.org/pipermail/wine-devel/attachments/20061209/bcdb5f01/attachment.pgp
More information about the wine-devel
mailing list