First Wine-Aware malware?

Stefan Dösinger stefandoesinger at
Fri Apr 28 03:57:23 CDT 2006

I just tried to run some "Malware Checker" just for fun in Wine, just out of 
interest how many infected files it will find on a fresh .wine setup. Bad 
security habbit, I know :-| . This app was the "ErrorSafe Scanner" from
Don't blame me for system breakage if you go there ;-)

Well, I ran it in a fresh .wine with my unpriviledged testing user(forgot to 
remove the Z:\ drive :-( ) . It started without showing anything, and created 
some autostart registry entries. As it couldn't be killed with Strg+C, I 
looked at the processes with ps to kill it. Well, I found a lot of 
"ErrorSafeScannerInstall_de.exe -nag", but also this:

 8835 pts/2    S+     0:00 sh -c ping -w 1 >/dev/null 
 8836 pts/2    S+     0:00 ping -w 1

Well, it also showed a few wininet fixmes:

Is there something in Wine which executes the Unix shell to run ping, 
redirecting all output to /dev/null ? Or did this malware know about Wine and 
Linux, and started the native apps, with the redirection?

Well, I will now do a complete security check on my whole Linux box :-(
(That's bad security too, I know, I should flatten the whole system)

BTW, that malware is described here: This page seems to 
descibe an older version, as the registry entries were different.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url :

More information about the wine-devel mailing list