First case of a real virus infection on wine

Stefan Dösinger stefandoesinger at
Sat Dec 9 07:41:09 CST 2006

Seems like I just got the victim of the first infection of a windows virus on 
wine :-( . I got infected with some virus called W32.Parite.B.

Unlike most of the biests out there it is a real virus that attaches itself to 
existing .exe files, not a stand-alone worm. I caught it yesterday on a small 
private gaming session. I didn't have Warcraft 3 installed, so instead of 
installing and messing with patches I would have had to download I decided to 
copy an existing installation over. That seemed to work fine at first :-/

What we noticed pretty fast was that at least 3 windows boxes were infested 
with a bunch of malware, and trying to infect each other over network shares. 
The virus alert messages popping up made playing impossible. The obvious 
solution: Disable the virus scanners.

So with the protection disabled those windows boxes were able to play, 
everything seemed to work fine. I noticed that something was wrong when my 
Battlefield 1942 crashed, which worked a few hours before when tested for 
regression in my new patches. ClamAV showed up a W32.Parite.B infection in 

That virus wasn't only in bf1942.exe, I found it in the war3 installation I 
copied over too. Looks like it came from there. I found it in all .exe files 
on my fake C:\ drive, except of our fake .exe's in C:\windows\system32. Looks 
like it didn't like those. Next I had a look at my real windows installation 
mounted in /media/windows, and found it infected too. Well, that was easy to 
clean up with a mkfs because I didn't have anything valueable in there. Well, 
the thing that is rather bad is that it infected my downloaded game demos and 
other files on my home drive. Luckily I didn't have my external hard drive 
with the rest of my stuff attached when I ran wine.

So I've now deleted my wine installation, windows installation and all .exe 
files on my disk. I'm scanning my whole linux drives to be sure, but I didn't 
run wine as root and I'm confident that the Linux file security prevented the 
worst problems.

To summarize, I got into the trouble mainly because I ignored the basic 
security guidelines. I ran executables from a really not trustworthy source, 
knowing that my friends' windows boxes are in a bad shape quite often. My 
real windows installation got infected because I had it world writeable for 
no real reason. On the bright side, running as a least priviledged user 
prevented the worst problems.

If anyone wants to play around with that virus, I kept my infected 
GenuineCheck.exe :-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the wine-devel mailing list