Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 10-28-2009, 02:46 PM   #1
Registered: Jan 2004
Posts: 307

Rep: Reputation: 33
Virused through wine???

I recently had what I think is a virus that infected the .wine folder, started and ran while wine was not running.

I was searching for something on google (I forget what) and a new tab opened to this site:A window opened with a progress bar which quickly completed then popped up a window which said I had several viruses in the system and did I want the site to clean them out. Nuturally I declined but as soon as I clicked "no", Firefox downloader started downloading a "setup.exe" which I immediately stopped but it appeared to have d/l'd anyway as "install" windows started popping up.

Then I started getting a sound byte "bong" every couple of minutes or so and then a window popped up labeled "Windows Security Center" "you are under attack from site <url> . This could be a trojan. Do you want SoftBarrier to block this attack and check your system?" Again I closed the window.

I shut down all apps but this action continued with no other applications running so I checked for running processes:
crashedagain@acer:~$ ps ax
    1 ?        Ss     0:01 /sbin/init
    2 ?        S<     0:00 [kthreadd]
    3 ?        S<     0:00 [migration/0]
    4 ?        S<     0:00 [ksoftirqd/0]
    5 ?        S<     0:00 [watchdog/0]
    6 ?        S<     0:00 [migration/1]
    7 ?        S<     0:01 [ksoftirqd/1]
    8 ?        S<     0:00 [watchdog/1]
    9 ?        S<     0:00 [events/0]

 5715 ?        Ss     0:01 /usr/bin/../lib/../bin/wineserver
 5718 ?        Sl     0:00 C:\windows\system32\services.exe                    
 5720 ?        Sl     0:00 C:\windows\system32\winedevice.exe MountMgr         
 5730 ?        Ss     0:00 C:\windows\system32\explorer.exe /desktop           
 5732 ?        Sl     0:09 C:\windows\temp\kdb4531.tmp.exe                     
 6465 ?        Sl     0:01 gnome-terminal
 6466 ?        S      0:00 gnome-pty-helper
 6467 pts/0    Rs     0:00 bash
 6503 ?        Rl     0:28 /usr/lib/firefox-3.0.14/firefox
 6521 pts/0    R+     0:00 ps ax
the C:windows.....processes looked suspicious so I killed 5732 and all the C:windows processes shut down. The sound "bong" and the pop up "security alert" then ceased.

I then checked the .wine folder and found this:
crashedagain@acer:~$ ls .wine/drive_c/windows/system32/*.exe
I'm pretty sure most of this stuff is not supposed to be there!

There are also strange .exe files througout the wine drive_c so I guess an R&R of wine is in order.

So how is this possible? I never internet through wine. Wine was not running yet the malware appears to have installed and started. Is it possible that some insidious bug has managed to infest a Linux system by detecting the presence of .wine and attacking there?

BTW, google comes up blank searching for "gvirusprotect" or for any of the odd .exe files (like z049vi9us551.exe). "SoftBarrier" is a fake windows protection program.

My system is dual boot Ubuntu 9.04/Vista and I use Firefox for a browser. Firefox is NOT installed on the wine system. Vista has avg virus protect on it, Ubuntu does not have any virus protection. Vista is seldom used...last used probably about 3 weeks ago.

Last edited by CrashedAgain; 10-28-2009 at 02:47 PM.
Old 10-28-2009, 02:52 PM   #2
Jim Bengtson
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Just a guess...check your DNS settings. If the malware somehow changed your DNS settings, then you could be surfing a look-alike site that's full of more malware. If that was automatically downloaded via Firefox, [I think] it would cause Wine to start.

Just a guess...
Old 10-28-2009, 02:54 PM   #3
Senior Member
Registered: Nov 2006
Distribution: Debian Linux 10 (Buster)
Posts: 3,373

Rep: Reputation: 138Reputation: 138
Does the *real* vista have disk access to your wine directory? IOW, did you put your wine in a FAT partition and then give access to that partition to Vista? If so, then Vista may have corrupted it for you. As to how this could have happened while browsing in Linux, I'm skeptical. Note that I'm not a security expert, though. But if this did happen as you report, then this has serious implications for Linux.

You might want to hit the report button and ask that this be moved to the Linux-Security forum, though unSpawn and others do look at this forum.
Old 10-28-2009, 02:59 PM   #4
Jim Bengtson
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38 is hosted in Ukraine...and was registered 10/26/09.

Sure smells like malware. Check your DNS settings to see if it's been changed to or ( If it has, change them back.
Old 10-28-2009, 03:13 PM   #5
Registered: Jan 2004
Posts: 307

Original Poster
Rep: Reputation: 33
Originally Posted by Jim Bengtson View Post
Just a guess...check your DNS settings. If the malware somehow changed your DNS settings, then you could be surfing a look-alike site that's full of more malware. If that was automatically downloaded via Firefox, [I think] it would cause Wine to start.

Just a guess...
Sorry...not too familiar with that. how do I check?

Quakeboy: no, the .wine is on a linux drive, Vista cannot use it.
Old 10-28-2009, 03:15 PM   #6
Jim Bengtson
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Sorry...not too familiar with that. how do I check?
Old 10-28-2009, 03:25 PM   #7
Registered: Jan 2004
Posts: 307

Original Poster
Rep: Reputation: 33
does this look right?
crashedagain@acer:~$ cat /etc/resolv.conf 
# Generated by NetworkManager
crashedagain@acer:~$ cat /etc/host.conf 
# The "order" line is only used by old versions of the C library.
order hosts,bind
multi on
crashedagain@acer:~$ is my router address....

Last edited by CrashedAgain; 10-28-2009 at 03:34 PM.
Old 10-28-2009, 03:33 PM   #8
Senior Member
Registered: Jan 2008
Distribution: Arch/Knoppix
Posts: 1,823
Blog Entries: 14

Rep: Reputation: 282Reputation: 282Reputation: 282
I never internet through wine.
Perhaps, but you'd be surprised how many programs access the internet these days. Check for updates, etc. Wine docs do explicitly say that you can get virii through its use; but you're quite sure you were running no other wine programs, so that seems improbable too, unless it occurred in a previous session...
Old 10-28-2009, 04:00 PM   #9
Senior Member
Registered: Nov 2006
Distribution: Debian Linux 10 (Buster)
Posts: 3,373

Rep: Reputation: 138Reputation: 138
What's the output of "/sbin/route"?
Old 10-28-2009, 04:21 PM   #10
Gentoo support team
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,083

Rep: Reputation: 404Reputation: 404Reputation: 404Reputation: 404Reputation: 404
Interesting. The possibility always existed but this is the first case I've seen where a Windows virus really worked properly under wine.

Have you tried some AV software? You should check your user files, it could potentially have spread out of the ~/.wine directory if the virus was really designed with wine in mind (if there's a virus at all, that is). If really shouldn't have affected the rest of the system, unless you were running wine as root, which you shouldn't.
Old 10-28-2009, 04:53 PM   #11
Senior Member
Registered: Sep 2009
Location: Washington U.S.
Distribution: M$ Windows / Debian / Ubuntu / DSL / many others
Posts: 2,339

Rep: Reputation: 231Reputation: 231Reputation: 231
Great, the viruses have spread to the linux world.
get a windows antivirus and linux antivirus then scan asap
Old 10-28-2009, 05:06 PM   #12
Gentoo support team
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,083

Rep: Reputation: 404Reputation: 404Reputation: 404Reputation: 404Reputation: 404
What should be worrying the OP more than anything else is *how* did a remote javascript snippet gain the faculty to run wine locally. Well, I am no specialist in Firefox, maybe it has become some really bad critter like IE/ActiveX, but I doubt it.

In any case, if you use Firefox or Seamonkey, do yourself a favor and use the noscript extension. The browser should include that functionality out of the box. When you use noscript, if a site that you don't trust asks for permissions to run a javascript snippet, you can still run it without worrying about it going out of the sandbox that firefox should always be. This will work even with trusted sites. It is that efficient that you even need to add custom rules so your browser can access the local mldonkey server if you use ed2k links. The way things should be
Old 10-28-2009, 05:18 PM   #13
Registered: Jan 2004
Posts: 307

Original Poster
Rep: Reputation: 33
Originally Posted by Quakeboy02 View Post
What's the output of "/sbin/route"?
crashedagain@acer:~$ /sbin/route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface     *        U     1      0        0 eth0
link-local      *          U     1000   0        0 eth0
default         UG    0      0        0 eth0
Old 10-28-2009, 05:23 PM   #14
Senior Member
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 55
I have an adblocker and a flashblocker installed.
Nothing to prevent javascript or anything special.

I was adventurous and tried the site
(I do have backups)
It is still open now in the nex tab.

Nothing happened when I clicked "exit" (or "no") on the question if I wanted to download.
Only when I ckicked "yes" it of course downloaded something.
To the folder where all downloads go. ( ~/Desktop/Downloads - if anyone is interested)
Nothing happened by itself.

I had to actually run:
cd ~/Desktop/Downloads
wine setup.exe
before anything started

What did start was a setup dialog - which I had again to click through.
(looked like fake vista - really obvious here in gnome with totally different style)

What was started then I don't really know - some window opened and reported scanning my devices.
The sound in wine also worked (windows sound - for failure or message? - don't know. I seldom use windows)

ps ax gives
 4516 ?        Ss     0:02 /usr/bin/wineserver
 4520 ?        Sl     0:00 C:\windows\system32\services.exe                                      
 4522 ?        Sl     0:00 C:\windows\system32\winedevice.exe MountMgr                                      
 4531 ?        Ss     0:00 C:\windows\system32\explorer.exe /desktop                                      
 4533 pts/1    Ss     0:00 -bash
 4550 pts/0    Sl     0:03 C:\windows\temp\ppl4c5d.tmp.exe                                      
 4581 ?        S      0:00 gedit
 4590 pts/0    Sl     0:24 C:\Programme\SoftBarrier Software\SoftBarrier\SoftBarrier.exe
after killing the wine processes I intentionally started - nothing was altered.
Except of course my ~/.wine/drive_c/windows/ directory contained lots of files which where just installed.

NOT by accident - I had to do quite some work.

[edit]: correction:
the setup dialog looked like anything in wine - very distinct from the normal look
the windows of the program which was started then looked like vista

Last edited by jomen; 10-28-2009 at 06:23 PM.
Old 10-28-2009, 10:39 PM   #15
Registered: Jan 2004
Posts: 307

Original Poster
Rep: Reputation: 33
Do you have anything like the files list I have in drive_c/~/system32?

I never clicked on "yes" anywhere and I would have had to be VERY diligent to prevent the download from occuring..I thought I was but Firefox downloader reports that it d/l a "setup.exe" from at 10.21 am this morning. Only 40 KB, would have been virtually instant! I dunno where it should have gone to Desktop...and find files can't find any unknown "setup.exe" anywhere. I assume it was in '/home' somewhere. The d/ls before and after it both went to Desktop. does appear on this list of known malicious sites as a recent addition.
My only wine programs are cad programs, none of which access the internet....but now I sem to have aquired AutoHotKey which I am quite sure I didn't install.

Here is a list of the files in my windows directory....quite a few suspicious files here and many of them were accessed this morning around 11 am.
crashedagain@acer:~$ ls .wine/drive_c/windows/
1001zddw95e267.dll        3512v9rzs1fd.cpl         6z18s9y66f5.dll
102759i5us1za.bin         3535thre9tz254.ocx       7001not-a9vi5us1z5.cpl
10a7zack9oo51244.bin      3565addwarez749.dll      7059zot-a9virus75a.bin
11476t59zbd.dll           35829orm345z.exe         7092worm65z.cpl
11b5tzief25139.dll        3689thie5z087.exe        7109azdware5911.exe
11d3ad5war942z.dll        3723tr9521ez.bin         7375dowzloade91267.bin
11z2spyware395.bin        37z5thre9t16119.dll      7380s5yware2z539.ocx
120es95az1739.exe         382d9ownloadez2485.cpl   7525addwa5ez997.dll
121z55irus2899.dll        3877vi912z5.ocx          7566adzw95e96.ocx
12276wor55zd9.bin         389695zj5b9.exe          757azdware9160.ocx
128959yware2036z.bin      3898steal12z5.cpl        75b6b9zkdoor715.ocx
12899h5efz869.cpl         39277virzs3725.dll       75bzsparse99.dll
13555szy79f.bin           3a899h5ezt23134.exe      75z9worm585.ocx
137hazkto5l93f.ocx        3b0fzpy5ar91307.cpl      76dzthrea917195.exe
13dczi93035.cpl           3dfespyw5rz839.exe       77c3bac9door2z50.dll
142z9wo5m929.exe          3e59stzal2551.bin        78995acz9oor469.ocx
15070zpy349.cpl           3e95v9r218z.cpl          7987vir154z.bin
1533zsp96e4.ocx           3f96backdoo9z225.bin     79a65hiefz814.exe
1555spz7099.dll           3z62th9ef26655.bin       79b1tzreat31854.ocx
15657h9zktool715.ocx      415ha5kzool97.cpl        79zt5oj35.bin
1597addwaz91865.exe       4173sparze22195.ocx      7azfdownl9ader1594.bin
16191spa5bot4z4.ocx       424spambo579z.bin        7c5cspyware29z2.cpl
16229spambzt2f5.ocx       42fbs9arsez543.ocx       7d35thzef25929.cpl
1665spywaz945.bin         43489hie5198z.dll        7eeza9dware19395.dll
169595zy499.dll           436zdownloade92853.cpl   7z879roj7c5.cpl
17039not-z-virus50.cpl    4547zte9l74.cpl          7za9thief517.exe
1706259y7ez.ocx           4558vi9634z.cpl          7ze7v5r9134.dll
17479hackt5zl57f.exe      45d5zhreat9371.exe       81265r9z167.cpl
1751hac9tooz5a9.dll       45fdthreaz15189.bin      881vz530279.cpl
17589hief155z.bin         464dszarse995.dll        89629irzs546.ocx
1759zspambot66e9.cpl      4695zddware25169.bin     8972wo5m9z0.ocx
176z7spy95.exe            4754sze5l901.exe         89zspars5487.ocx
17852wor91z9.bin          4931b9ckzoo52267.cpl     901fspyw5ze1871.dll
17861za9kt5ol43c.ocx      49ebvir951z5.ocx         90505zorm2f7.exe
17czspa5s91118.bin        4d3ca5zwa9e2323.cpl      905athrzat5250.dll
18395not-a59zrus500.ocx   4ef9sp9ware5z30.ocx      907hack5ozl31d.cpl
18479troj955z.exe         4f4ds59zare2009.cpl      9085v5r1594z.exe
18624virusz95.dll         4f4zdownl5ader9021.cpl   90z50spambot496.dll
1869zhack9oo5661.cpl      4ff8spz9are26505.cpl     91251zorm15a.bin
189015roj921z.bin         50472viruszb9.dll        92659virzs542.cpl
19055viruz17e.exe         505ddownzoa9er2583.ocx   928vzr1656.cpl
19183zpambot5a0.ocx       50czsteal1589.bin        928zpy59e.cpl
193fz5988.bin             50e9v9z1953.dll          92z1vi51673.ocx
194519pzmbo5340.cpl       510bz9yware2534.dll      9318vi5uz444.exe
19505spazbot190.ocx       5117st5al119z.dll        9485wzrm581.bin
1950spzrse759.ocx         51495pywzre775.exe       94b5sparz51962.bin
19562virus6z.dll          516adow5lozder8599.exe   950z1spambot10f.dll
19658spy6zd.dll           519troj9zf.bin           95527not-a-vzrus339.cpl
19689h5cktool3dz.bin      5255steal59z6.exe        95628notza-virus6db.dll
1977spywz5e1273.exe       52562spy29z.cpl          95z53worm2c9.dll
19954h9zktool47f.dll      5262zhie9707.exe         964zspy589.exe
19z98tr5j91d.bin          526bdownloazer19015.bin  96z30virus565.dll
1a859ownloazer1308.exe    52b9do5nloader95z.bin    9705not-a-virus35z.dll
1b439ackdzor2259.cpl      5346t5iez3029.dll        9750s9y6z25.ocx
1cbzthre9t15275.bin       53adv9z568.ocx           976down5oazer91.exe
1d395pyw9re8z.dll         542z29irus472.ocx        9787zackdoor1531.bin
1f01ba5zdoor2559.cpl      54939pyzare2359.dll      9855vzrus32b.bin
1z09thi5f45.ocx           5528thiz51792.dll        9869v5rus2z9.exe
1z2espar9e26875.cpl       5539sparsz11309.exe      9881nzt-a-vi5us44c9.ocx
1z344spa9bot4c5.cpl       553zsparse10109.cpl      992bv5r9z.cpl
1z6359orm2a0.ocx          55744zacktool9f1.dll     995zspambot538.ocx
1z929spa5bot1ac.cpl       5579zspy1a1.ocx          99828sza5bot5a3.ocx
1zabstea910855.bin        55z5parse2669.exe        99afzh5eat15008.exe
202599acktzol1.cpl        5627zh9eat1535.exe       9b75vir1593z.ocx
20887vizus954.ocx         56910worm2z9.bin         9b9bspar5e11z1.exe
209z5worm771.dll          5725t9izf5705.bin        9e1dow5zoad9r2904.ocx
216579irusz4b.exe         57ee5ac9dooz469.bin      9e5vir567z.cpl
22110v9rus5z0.ocx         5816spy9are2952z.bin     9e5vir9z7.exe
2289zackto5l439.exe       585zt9o5338.bin          9e9spyware25z9.exe
229765py690z.bin          5878ha9ktozl295.cpl      9z06ha5ktool7ac9.cpl
23536w95m40az.exe         5885w9rm6z1.exe          a909pz5are460.cpl
24195zeal1859.dll         589adownloadzr1929.dll   ba0baczdoo5948.dll
2431s5ambot9zd.cpl        589athizf9651.bin        command
24783wz5m499.bin          58z2vi93175.exe          d39vi52z0.bin
24a4virz3925.bin          59347wzrm459.bin         Downloaded Installations
24aabac5zoor18639.dll     597z8spambot357.exe      e159zarse31205.cpl
24esp5rze9044.bin         5986wz5m7ab.bin          explorer.exe
25054not-a-zir9s5ec.dll   5989virz315.cpl          Fonts
25084tr9jz9.cpl           59z9spa5bot4a7.cpl       gecko
251estz9l1041.bin         5a55zhief2914.ocx        hh.exe
25382viru962ez.exe        5az2spars91285.ocx       inf
25589zac9too5140.bin      5azestea92545.cpl        Installer
25617wor95zb.bin          5b9b95rz409.ocx          notepad.exe
25730vi5u96zb.cpl         5bb59ackdozr490.bin      profiles
2595thz9f3230.ocx         5c48thz9at15130.ocx      regedit.exe
25f8stealz933.ocx         5c99addwarez905.ocx      ShellNew
26479s5a9botzd.dll        5cd9zir1795.bin          system
26584not-z-virus5369.exe  5e70dz95loader1144.bin   system32
26bcs9ezl1659.ocx         5f31d95nloader317z.ocx   system.ini
27676vz9u54be.bin         5f3asparse292z.bin       temp
27882z5rus41f9.dll        5f5fdow9lzader1693.dll   twain_32.dll
27ebdownl9ade597z.ocx     5z19not-a-virus559.dll   uninst.exe
28206not-a-vi9u5zd.cpl    5z29w5rm7a1.dll          winhelp.exe
2856v95us3cz.cpl          5z9download5r3619.exe    winhlp32.exe
285aspy5a9ez63.dll        62fdzownload9r555.cpl    win.ini
28939spambot31z5.ocx      6409zi931015.exe         winsxs
29024viruz1359.exe        6491addwar524z7.cpl      z0569troj396.bin
2945zworm359.dll          651bbackdoor9620z.bin    z0754w5rmec9.ocx
29504hacktzol39.dll       6553zo95loader2488.exe   z0995spambot47d.bin
2953zi5us25b.ocx          65609ro5zfa.cpl          z1491troj5f89.dll
295vz5us930.ocx           657zvi9usd2.bin          z1525hac9tool2e0.dll
296zthreat10956.dll       65fc5hr9az4395.ocx       z3954virus5f9.exe
2976z5arse316.exe         662z9teal561.ocx         z4edown9oader3055.dll
29z75spambo9145.bin       6650sparze963.cpl        z5055r9j3b5.exe
2azc5hreat91427.dll       6770s9ars51z43.cpl       z53dthreat29864.cpl
2b5s5ywzr91671.dll        6795zp5ware2627.dll      z5ces9yware2576.cpl
2b9bspywaze5875.dll       68559ir28z7.exe          z816ad9ware1352.dll
2d1dback5oorz395.cpl      68azthie91556.dll        z85439acktool57d.dll
2d59thzeat7065.cpl        68e1threaz977285.cpl     z8f6stea95127.bin
2de1downzoa5er1958.exe    6954hac5tool9z9.dll      z918backdoor10665.ocx
2z707wo5m99.cpl           69625py4z3.cpl           z91daddware9950.ocx
2z98ste951865.bin         6975vzr498.dll           z9616t5ojd29.dll
2za5thre9t19750.dll       699ddo5nloadez2545.bin   z9623hackt5ol253.bin
30227zp93265.dll          69zvir3025.ocx           z9bcthi9f365.exe
3059addzare936.dll        6a0cspywzre9537.dll      zc90s9arse2085.bin
30z88spam5ot7d9.cpl       6a8ddo95loadez566.bin    zd7e9p5rse1975.exe
3129troz28d5.ocx          6az5spywa9e2655.ocx      zdf29ir2758.bin
31499spy4z15.cpl          6cfzspyware925.dll       ze15back5oor392.exe
3158vir5996z.bin          6d36virz905.exe          ze4spyw9re1645.dll
31fz5ir1349.bin           6e55spars93z0.cpl        ze65ir9056.ocx
3295no9-a-vzrus32a.cpl    6e73stea953z2.bin        zfddow9l5ader1364.ocx
3483stea9z5105.cpl        6fb5dow9lozder1848.cpl   zff5vi9238.bin
3490threa51516z.ocx       6fbz5ddware19869.cpl
So it really does look like something managed to start up wine and attempt to do something malicious.

I'm going to reinstall wine but I will transfer the existing .wine subdir to somewhere safe (CD or flash drive) in case anyone needs the info for tracking down something.

Also, the list-of-known-malicious-sites suggests that one should deny access to the sites on the list. How would one do this?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trouble running wine from src wine:error while loading shared libraries: brynjarh Linux - Newbie 2 05-28-2013 10:59 AM
Problems installing WINE on Fedora Core 6 using $yum install wine rubiks_nerd_90 Linux - Software 4 03-06-2008 08:36 AM
A wine question: Theming wine or changing wine's colour scheme PatrickMay16 General 8 12-17-2006 06:53 AM
Link targets - problems with Wine (Though not Wine specific - Wine site doesn't help) Kevjml Linux - Newbie 1 01-13-2006 07:53 AM
wine: chdir to /tmp/.wine-tom/server-306-33fca : No such file or directory Kinstonian Linux - Software 19 06-21-2003 05:16 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:45 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration