Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A window opened with a progress bar which quickly completed then popped up a window which said I had several viruses in the system and did I want the site to clean them out. Nuturally I declined but as soon as I clicked "no", Firefox downloader started downloading a "setup.exe" which I immediately stopped but it appeared to have d/l'd anyway as "install" windows started popping up.
Then I started getting a sound byte "bong" every couple of minutes or so and then a window popped up labeled "Windows Security Center" "you are under attack from site <url> . This could be a trojan. Do you want SoftBarrier to block this attack and check your system?" Again I closed the window.
I shut down all apps but this action continued with no other applications running so I checked for running processes:
the C:windows.....processes looked suspicious so I killed 5732 and all the C:windows processes shut down. The sound "bong" and the pop up "security alert" then ceased.
I'm pretty sure most of this stuff is not supposed to be there!
There are also strange .exe files througout the wine drive_c so I guess an R&R of wine is in order.
So how is this possible? I never internet through wine. Wine was not running yet the malware appears to have installed and started. Is it possible that some insidious bug has managed to infest a Linux system by detecting the presence of .wine and attacking there?
BTW, google comes up blank searching for "gvirusprotect" or for any of the odd .exe files (like z049vi9us551.exe). "SoftBarrier" is a fake windows protection program.
My system is dual boot Ubuntu 9.04/Vista and I use Firefox for a browser. Firefox is NOT installed on the wine system. Vista has avg virus protect on it, Ubuntu does not have any virus protection. Vista is seldom used...last used probably about 3 weeks ago.
Last edited by CrashedAgain; 10-28-2009 at 02:47 PM.
Just a guess...check your DNS settings. If the malware somehow changed your DNS settings, then you could be surfing a look-alike site that's full of more malware. If that was automatically downloaded via Firefox, [I think] it would cause Wine to start.
Does the *real* vista have disk access to your wine directory? IOW, did you put your wine in a FAT partition and then give access to that partition to Vista? If so, then Vista may have corrupted it for you. As to how this could have happened while browsing in Linux, I'm skeptical. Note that I'm not a security expert, though. But if this did happen as you report, then this has serious implications for Linux.
You might want to hit the report button and ask that this be moved to the Linux-Security forum, though unSpawn and others do look at this forum.
Sure smells like malware. Check your DNS settings to see if it's been changed to ns1.gvirusprotect.com or ns2.gvirusprotect.com (213.155.22.194) If it has, change them back.
Just a guess...check your DNS settings. If the malware somehow changed your DNS settings, then you could be surfing a look-alike site that's full of more malware. If that was automatically downloaded via Firefox, [I think] it would cause Wine to start.
Just a guess...
Sorry...not too familiar with that. how do I check?
Quakeboy: no, the .wine is on a linux drive, Vista cannot use it.
crashedagain@acer:~$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.2.1
crashedagain@acer:~$ cat /etc/host.conf
# The "order" line is only used by old versions of the C library.
order hosts,bind
multi on
crashedagain@acer:~$
192.168.2.1 is my router address....
Last edited by CrashedAgain; 10-28-2009 at 03:34 PM.
Perhaps, but you'd be surprised how many programs access the internet these days. Check for updates, etc. Wine docs do explicitly say that you can get virii through its use; but you're quite sure you were running no other wine programs, so that seems improbable too, unless it occurred in a previous session...
Interesting. The possibility always existed but this is the first case I've seen where a Windows virus really worked properly under wine.
Have you tried some AV software? You should check your user files, it could potentially have spread out of the ~/.wine directory if the virus was really designed with wine in mind (if there's a virus at all, that is). If really shouldn't have affected the rest of the system, unless you were running wine as root, which you shouldn't.
What should be worrying the OP more than anything else is *how* did a remote javascript snippet gain the faculty to run wine locally. Well, I am no specialist in Firefox, maybe it has become some really bad critter like IE/ActiveX, but I doubt it.
In any case, if you use Firefox or Seamonkey, do yourself a favor and use the noscript extension. The browser should include that functionality out of the box. When you use noscript, if a site that you don't trust asks for permissions to run a javascript snippet, you can still run it without worrying about it going out of the sandbox that firefox should always be. This will work even with trusted sites. It is that efficient that you even need to add custom rules so your browser can access the local mldonkey server if you use ed2k links. The way things should be
I have an adblocker and a flashblocker installed.
Nothing to prevent javascript or anything special.
I was adventurous and tried the site
(I do have backups)
It is still open now in the nex tab.
Nothing happened when I clicked "exit" (or "no") on the question if I wanted to download.
Only when I ckicked "yes" it of course downloaded something.
To the folder where all downloads go. ( ~/Desktop/Downloads - if anyone is interested)
Nothing happened by itself.
I had to actually run:
Code:
cd ~/Desktop/Downloads
wine setup.exe
before anything started
What did start was a setup dialog - which I had again to click through.
(looked like fake vista - really obvious here in gnome with totally different style)
What was started then I don't really know - some window opened and reported scanning my devices.
The sound in wine also worked (windows sound - for failure or message? - don't know. I seldom use windows)
after killing the wine processes I intentionally started - nothing was altered.
Except of course my ~/.wine/drive_c/windows/ directory contained lots of files which where just installed.
NOT by accident - I had to do quite some work.
[edit]: correction:
the setup dialog looked like anything in wine - very distinct from the normal look
the windows of the program which was started then looked like vista
Do you have anything like the files list I have in drive_c/~/system32?
I never clicked on "yes" anywhere and I would have had to be VERY diligent to prevent the download from occuring..I thought I was but Firefox downloader reports that it d/l a "setup.exe" from foxyfis.com at 10.21 am this morning. Only 40 KB, would have been virtually instant! I dunno where it went...it should have gone to Desktop...and find files can't find any unknown "setup.exe" anywhere. I assume it was in '/home' somewhere. The d/ls before and after it both went to Desktop.
Foxyfis.com does appear on this list of known malicious sites as a recent addition.
My only wine programs are cad programs, none of which access the internet....but now I sem to have aquired AutoHotKey which I am quite sure I didn't install.
Here is a list of the files in my windows directory....quite a few suspicious files here and many of them were accessed this morning around 11 am.
So it really does look like something managed to start up wine and attempt to do something malicious.
I'm going to reinstall wine but I will transfer the existing .wine subdir to somewhere safe (CD or flash drive) in case anyone needs the info for tracking down something.
Also, the list-of-known-malicious-sites suggests that one should deny access to the sites on the list. How would one do this?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
