LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-29-2009, 05:37 AM   #16
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 55

The windows programs you use in wine could be a cause of this - sure these are clean programs and not some pirated versions?

On visiting the site a browser message pops up:
Quote:
Warning! Your PC is at risk of virus and malware attack.
Your system requires immediate check!
System Security will perform a quick and free scan of your PC for viruses and malicious programs.
- a fake window which looks like vista pop up
- any click opens download dialog
- if I cancel the download - nothing happens
- for me it asks what to do - download or execute with a program I have to specify
- if this would be customized to just open .exe with wine - or the distro did it for you...
it would spare you the next step
and could be a reason for the "infection".
Not that I take it lightly - it could at this point delete all your files - or encrypt them...


I have to actively start the downloaded file.
installer says its installing - while it is actually downloading a whole lot of stuff.
I have a shield like icon in my tray.
these processes are running:
Code:
 2880 jochen     1   0  5176 2476  620 S  0.0  0.3   0:01.23 /usr/bin/wineserver                                                                         
 2884 jochen     1   0 1557m 2796 2140 S  0.0  0.3   0:00.02 C:\windows\system32\services.exe                                                            
 2886 jochen     1   0 1557m 3096 2368 S  0.0  0.3   0:00.02 C:\windows\system32\winedevice.exe MountMgr                                                 
 2898 jochen     1   0 1567m 8508 5856 S  0.0  0.9   0:00.23 C:\windows\system32\explorer.exe /desktop                                                   
 2906 jochen     1   0 1572m  11m 7608 S  0.0  1.3   0:03.76 C:\windows\temp\geo6692.tmp.exe                                                             
 2966 jochen     6   0  2476 1144  876 R  0.0  0.1   0:00.14 top
- after 3+ minutes a windows sound occurs
which is both distinct from any gnome sound as well as unusual because I have no system sounds at all.

- after another 3+ minutes a message pops up - from the bottom right where windows notification area is.

I have only one panel - and it is at top of screen. Notifications also pop up top right.

This is nagware - it constantly gets on your nerve warning you about things which never happend.
I'm behind a firewall - nothing gets in what I did not want.

If it is also malware I dont know.
They want you to by some anti virus product for $49.95 - which will probably have also be infested.

But it really did not sneak in - I had to do the work.
And now I'm killing it.
again.

reinstalling wine will not help BTW - wine is not affected.
But you'd want to delete ~/.wine recursively and start fresh, because that is where the files get written to.

Had tcpdump running if anyone is intererested.

Some listings.
This was a fresh install (removed ~/.wine and started fresh with winecfg - then went to the site)
Only 1% of these files belongs there (so to say, because I was the one who started it and cannot now complain).
Code:
~/.wine $ ls -a drive_c/windows/winsxs/manifests/
.  ..  x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef.manifest


~/.wine $ ls -a drive_c/windows/
.                        2019zspy5d59.ocx          2z95addw9re2080.exe      51a9b9ckd5orz053.cpl     65f0th5e972z.dll        95z34worm3cc.exe
..                       205719acktooz71c.cpl      301d5own9oazer654.exe    51acdowzlo9d5r68.dll     665zs9am5ot7c6.ocx      96234sp5mbotz16.ocx
10022hzcktoo519c.bin     205z0spambot6259.bin      30368troz295.ocx         51atzreat4395.dll        66915d9warz1700.ocx     9650v5r1249z.bin
101279o5z121.exe         20715hazktoo92215.bin     30559vi9zs2e0.exe        51bspywa5ez960.dll       66c5szea91989.exe       99057spamb5t5z8.cpl
1021spy6z95.dll          20834zro9559.bin          3057hack5zol594.dll      51z5worm729.exe          6840zte9l1531.exe       9909hazktool5a75.dll
10931hack5ooz675.cpl     20921hackt5olz519.dll     3063z9ot-a-viru5246.cpl  525zsp9ware2813.exe      6955troj413z.exe        9939addware5z31.ocx
10997s9zmbo536a.bin      21474s9azbot1805.dll      30853n9t-a-virus2z6.bin  5275z5rus28e9.ocx        6969ha59tozl35c.bin     99535zambot1d6.ocx
1153downl9ader15z5.ocx   21489viruz458.ocx         30995wzrm78f5.bin        529baddzare1799.dll      6990ba5kdoor1592z.bin   9967viru557z.cpl
11885spy6z9.exe          222z5vi9us2e.exe          31186not-a9viruz56a.exe  53019hizf1657.exe        6a59backdoo53z71.ocx    99dvz51264.bin
11994zpy6995.cpl         22354t9ojz40.exe          31597tzo5307.bin         532ddzwnlo9der9455.exe   6a96bazkdoor1548.ocx    9e85azdware1980.dll
11a5tzief9577.exe        2242zv95us53e.dll         3159znot-a5virus311.bin  53da9dwzre919.ocx        6abdth9ea52z975.exe     9ea2adzwar51001.dll
11b9do5nloader8z9.ocx    2259thre9t23z15.cpl       316z5py9b6.bin           53e0spy9arez88.bin       6b39tzief15289.bin      9fe2threat1594z5.exe
12181spam59t40fz.bin     22730viz9s752.dll         317z9t59j3ec.bin         5401z9roj2c8.bin         6d829hreat18z55.cpl     9z71spyware3549.cpl
124fba9kdo5r21z9.dll     22855ot-a-viruz996.cpl    319129ot-z-v5rusf1.dll   5406t5reat99z9.cpl       6dc5vir199z5.cpl        Fonts
126zst9al3563.bin        22962n9t-a5virus5z8.exe   326z9spam5o96a.exe       5479addz5re9806.ocx      6e5zspyware609.dll      af8bac9door45z.cpl
13211not-z-5i9us22c.exe  22z5sp9ware2229.dll       3279zir5334.cpl          5490azdware2987.ocx      6fc4sp9rsez567.bin      b99a9dwarz12325.bin
134z7spy65c9.ocx         2300zvirus3539.ocx        358edzwnloader559.ocx    54e9addware276z.ocx      6fe9azdware656.dll      c53ste5z1999.exe
13951zpambo965c.ocx      23169vi5uz4d0.cpl         3655add9are484z.cpl      5505sz9598.ocx           6ffcad5w9ze1283.ocx     command
13999szy565.cpl          23419spy93z5.bin          3836ste5l2939z.exe       5535tr9z5f6.cpl          6z92thie91415.cpl       d5th5ef3z699.bin
13a1downzoad9r552.ocx    23614sz95bot213.bin       39356szy3a4.cpl          556z9virus60f9.dll       70125teal9871z.cpl      d84a9dw5re12z4.bin
13z81virus9c65.ocx       236265roj9cz.cpl          3937tzreat15257.dll      5576spyz9re1893.dll      7112s5ywar92z10.cpl     e83thzeat92595.cpl
14297h5cktzol55f.bin     243599orz89.ocx           3990downlo5derz379.exe   559bbackzoo92090.exe     71589dzwar52331.ocx     explorer.exe
14397tr59z75.dll         245ezd9war52996.dll       3992thzef22635.ocx       559bzparse519.ocx        718ebaz9door3255.exe    f849hrea522z45.ocx
14449zpa5bot7ab9.exe     2471haz5to9l588.dll       3a2zbackdo9r2584.exe     559fthiefz9035.dll       7266szambot985.cpl      facthi592z03.exe
1496659cztool658.ocx     247245orm9z1.exe          3b27do9nzoad5r2900.exe   55cet95zat14619.ocx      7385tro93z6.ocx         hh.exe
1498zwo9m75.exe          24756hack5ool60z9.exe     3b97st95z1096.ocx        568znot-9-virus53.bin    7439thre5t845z.dll      inf
1503959zm386.bin         24932not-a5virzs364.ocx   3c51tzie59109.ocx        56z95teal1552.cpl        749znot-9-virus65d.exe  notepad.exe
15057vi5uz598.bin        250109roz1ad.bin          3c59virz524.bin          572559izus4ad.ocx        755cad9warez22.exe      regedit.exe
15069sp5mbot5bz.cpl      2512szamb9t599.cpl        3e0bback5oo92z17.exe     5738th95fz670.ocx        75sz5wa9e1061.cpl       system
15495hiez739.ocx         2535thie91z22.exe         3e35back9oo51z50.dll     57649irus655z.cpl        774abazkd5or2509.bin    system.ini
15733z9oj658.bin         255509pambot451z.dll      3e9cspywzr915695.cpl     5913addware164z.ocx      7793no5-a-virus47z.bin  system32
15795tzo59e.cpl          25556h9zktool7b.dll       3ea9addwar5955z.ocx      593addwaze1634.ocx       7899zir1965.dll         temp
15942zi9us3ea.cpl        25638v9rusz3b.dll         3f245pz9se2680.cpl       5952addwarz543.ocx       78z95parse730.bin       twain.dll
15963vir5s98z.dll        25799spz155.bin           3z1315py292.dll          5952spyware2920z.bin     7959thiez1492.exe       twain_32.dll
15c69ac5dooz664.dll      25986not-a-virus197z.bin  3z490s5y1d6.ocx          59749viruz2fd.ocx        796dth5zf912.dll        win.ini
15c89pyware42z.cpl       25997hazktoo56b5.exe      3z522not-a-9iru5241.bin  5992h5cktool5z4.cpl      797z5teal2099.exe       winhelp.exe
15e9bz5kdoor60.ocx       25fcsparse2978z.bin       3z550s9ambot728.bin      5993trzj78.ocx           7a9cbac5d9or52z.exe     winhlp32.exe
15z66sp9mbo54b3.ocx      25z975o9m7da.cpl          3z6bth9e5t21037.ocx      5996spam9ot2cdz.ocx      7ca9bac9dooz455.ocx     winsxs
161429ot-a-5izus5c3.ocx  263439ot-a5virus787z.ocx  3z977hac5tool6e6.ocx     59zbsteal1865.bin        7d95szywa592221.bin     z0186sp9mbot4955.dll
16595zorm391.ocx         26408wormz595.bin         40aes9zware1385.exe      5a1d5wnl9ader9z.ocx      7dd6spa5s9283z.dll      z105spamb9t34a.ocx
16889h5cktozl5e9.exe     26511trz978d.cpl          40z1add5are2915.exe      5a85spyz9re2594.cpl      7e00szywar511649.bin    z11t9ief26235.cpl
169055irus77z.bin        26593nzt-9-virus551.ocx   4157spazbot69f.exe       5ab2d9wnloazer3275.bin   7e87add5are6z69.cpl     z128spyw5re1597.exe
16z55vi9us52a.bin        275z0vir9s154.dll         41b5stz9l2765.ocx        5b5csz5al9182.bin        7z6bt9ief13935.cpl      z180no9-a-v5rus5f.dll
16z75not-9-virus10a.bin  2783695rzs357.dll         41s5yz0e9.bin            5c0d5ze9l2482.bin        7z835orm9a7.cpl         z1891n5t-a-virus6a9.ocx
172375ot-a-vizus59c.ocx  27950hazktool19.exe       439avi528z.dll           5cdzvir1987.ocx          7za79ir2765.cpl         z19bth9ef535.cpl
174629izus2625.bin       27z095y536.cpl            44eespa5s92993z.bin      5d0szy9are2266.dll       7ze7do5nload9r2288.cpl  z2574v9rus164.ocx
178z7t9oj35f.ocx         27z42wor954b.exe          4525addware20z9.ocx      5d3adzware15819.dll      7zfd9h5eat10625.bin     z3786vi5us795.dll
1827znot-a-9irus2c5.dll  281859py6b2z.exe          45z69h5eat16198.cpl      5dz59parse1345.dll       8190not-a-v5zus584.cpl  z411back5oo9509.exe
1835zspambot9f4.exe      29394trzj765.exe          4787vir9156z.exe         5e95thief1595z.bin       830spzw5re9819.ocx      z45aspar9e1960.dll
18763not-z-5irus9d4.exe  2950virz263.bin           482baddwar9z35.cpl       5ec8zteal19195.cpl       8991not-az5irus777.exe  z4760virus795.dll
19035szamb9t39b.ocx      2959159rz69e.bin          48e1backdoo9548z.cpl     5fe5thief609z.ocx        8f35ir19z6.exe          z5437tro59b8.ocx
1928notz5-virus9b9.bin   295fvir2159z.cpl          4934v9ru51z6.dll         5z059py5d5.exe           8z03h9ckto5lb8.ocx      z589vir1026.ocx
193eb5ckdooz199.exe      2968spa5b9t3z1.exe        496zstea52743.dll        5z15vir1599.cpl          90502worm9z.dll         z5977virus42f.ocx
19656spzmbo5370.bin      29718h9ck5ool6z9.cpl      4994vzrus351.dll         5z6es9ywa5e2473.exe      90dfdownloaderz655.dll  z59c5ir2311.exe
1974159t-a-virus3z7.cpl  29731not9a-v5rzsaa.bin    49ef9ddwzr52469.exe      5z93down5oader2997.dll   915zspambot1925.cpl     z5d2spyware1019.dll
1a39pa5sz1694.bin        298aspar59583z.cpl        4a9fbackdoor31z85.bin    5zdedownloa5e92489.cpl   923955py35cz.exe        z638thi9f9205.ocx
1a4d9ir5z75.dll          29aaszar5e9155.ocx        4b49a5dware1963z.ocx     6072bac95oorz81.dll      92575vizus50d.bin       z6659troj253.exe
1a53zhi9f1804.cpl        29z39no5-a-virus770.cpl   4df3stz9l1450.bin        60b5zhreat12719.dll      92b2downloaderz975.ocx  z6739s5y409.exe
1bbb9pyzare2585.ocx      2b69thie5z438.exe         4e7bdo5n9oazer3194.cpl   6369download5r3002z.exe  935z6spy59.cpl          z6cat5re9t11507.cpl
1c05back9ooz3081.ocx     2dfzthi5f9798.bin         4ezbv9r1056.exe          6373h5c9tooz4c4.ocx      95039worm598z.cpl       z981virus775.cpl
1caes9zrse597.dll        2ecaadz5are9921.bin       4z74s5eal15859.exe       63c6t5ief9z4.dll         95693viruszfc.ocx       zf63downl5ade9872.cpl
1e4dzwnl5ader1090.cpl    2z153not-a5virus55c9.exe  4zfbspar953252.exe       6533s95mboz18f.bin       9573zs5y6b8.cpl
1ebcs5zal994.bin         2z465hi9f1035.bin         50329zacktool792.bin     65409zdware2155.dll      9580zr9j790.dll
1edfsp5war9z38.exe       2z529worm699.dll          504z9virus429.cpl        6599troj3fez.bin         95cvzr689.ocx

Last edited by jomen; 10-29-2009 at 05:52 AM.
 
Old 10-29-2009, 08:30 AM   #17
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Are you running as root, by any chance?
 
Old 10-29-2009, 09:08 AM   #18
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 55
Had clamav check the ~/.wine directory - it reported nothing.
It is just nagware for me then. The real malware comes later maybe - when you install the product they want to sell to you.
Or they just want to sell and do no further harm.
No virus here.
 
Old 10-29-2009, 09:52 AM   #19
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Those executables say that it's going to do something...maybe set you up to send out spam for them.
 
Old 10-29-2009, 09:59 AM   #20
CrashedAgain
Member
 
Registered: Jan 2004
Posts: 307

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by Jim Bengtson View Post
Are you running as root, by any chance?
No, running as user. The only thing that might have aided an auto-starting .exe is that I have set the properties of .exe files to select wine as the "open with" program ...but the user must still confirm to start it. It does make it easier to accidentally start one though.

jomen: No the windows programs are clean versions, not pirates.

Basically what you descibe is what happened to me although I did not knowingly actively start the downloaded file. Your windows directory looks similar to mine....the numbers on the files are different but they are probably auto-generated.

Yes, at this point it appears to be nagware only.

Sorry, my mistake in terminology....what I actually meant by "R & R wine" was remove the .wine directory and do a clean install of the wine apps.

Jim's new post is right, all those exe's mean that it is going to try to do something.
 
Old 10-29-2009, 10:13 AM   #21
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 55
Quote:
Jim's new post is right, all those exe's mean that it is going to try to do something.
Yes, very probably.
As mentioned implicitly: one of them managed to open a new browser window where I was invited to end all my problems by bying the software from them.
But I'm certain that none of these programs are ever run "just like that" - say like auto-start.
No way for this to happen.
Removal of ~/.wine will get rid of anything - it's like the (in)famous reinstall in windows.
 
Old 10-29-2009, 10:54 AM   #22
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
It looks like they mangled the filenames so as to make it impossible to detect by a filename search:

Quote:
16z75not-9-virus10a.bin, 172375ot-a-vizus59c.ocx, 1827znot-a-9irus2c5.dll, 18763not-z-5irus9d4.exe
But if you look at the examples above, they all seem to have "not-a-virus" as part of the original filename. Google "*not-a-virus*.*" and you find this entry:

Quote:
not-a-virus:AdWare.Win32.Mirar.d
http://www.viruslist.com/en/viruses/...virusid=108890

This non-malicious advertizing program installs Mirar Toolbar in Internet Explorer.

It is a Windows PE EXE file. It is written in Microsoft Visual C++. It is not packed in any way. The file is 376,832 bytes in size. The size of the file which is installed may vary.
Can you find any sign of this on your computer?
 
Old 10-29-2009, 12:37 PM   #23
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
File Analysis

I copied your list of files into a spreadsheet and did some analysis of the filenames. They are mangled, but if you look at them carefully you can often piece together key parts of the original filename:
  • addware: occurs 24 times
  • backdoor: 21 times (Win32.Backdoor.TDSS?)
  • downloader: 19 times
  • dwarz?: 5 (ns3.dwarz.nl, ns4.dwarz.nl - DNS servers)
  • hacktool: 24 (Hacktool.Rootkit)
  • not-a-virus: 27 ("not-a-virus:FraudTool.Win32.Agent.aih")
  • spambot: 26 (Trojan-Mailer.Win32.Spambot)
  • sparse: 7 (Sparse.3840.a)
  • spy: 16
  • spyware: 20
  • steam: 11 (PWS:Win32/Steam.C)
  • thief: 12 (Trojan.Dropper.Thief.Magania.ahor)
  • threat?: 6
  • trojan: 12
  • Unknown: 91
  • virus: 27
  • worm: 11

However you want to look at it, this is a nasty collection of malware.
 
Old 10-29-2009, 01:08 PM   #24
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 55
an almost literal translation of a german saying:
"names are shadows and dust" - and tell nothing of the content

I'm not the OP and got me the "infection" for the fun of it - two times even
But I ran a virus scanner over it - which I built and installed specifically for this purpose.
clamav was used.
I did not have one before and don't intend to keep using it.

It reported *nothing*

While they _still_ may indeed be dangerous they nevertheless will not do anything unless they are explicitly started.
It is like windows - but it is not windows. Just having those files is not dangerous - running them may be.
I suppose you could take a Ubuntu live CD where the same wine is available and see and study the infection for yourself.
For me it was no infection in the sense that I somehow catched it by accident or by a flaw in the OS - I cut myself on purpose and it was not _that_ easy. I was not really sick, too

Last edited by jomen; 10-29-2009 at 01:14 PM.
 
Old 10-29-2009, 03:34 PM   #25
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
While they _still_ may indeed be dangerous they nevertheless will not do anything unless they are explicitly started.
It is like windows - but it is not windows. Just having those files is not dangerous - running them may be.
I suppose you could take a Ubuntu live CD where the same wine is available and see and study the infection for yourself.
For me it was no infection in the sense that I somehow catched it by accident or by a flaw in the OS - I cut myself on purpose and it was not _that_ easy. I was not really sick, too
Perhaps I gave the impression that I was criticizing you...if so, forgive me. What I had intended to convey was the appreciation of the fact that, had the OP been running Windows instead of just Wine, his computer would be one ill machine indeed. That's the advantage of NOT running Windows (not to say that Linux is invulnerable to all malware...just MOST malware).
 
Old 10-29-2009, 04:04 PM   #26
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 55
Quote:
Perhaps I gave the impression that I was criticizing you..

no you didn't!
And even if you where (or I perceived it so) - why not?
No need to apologize for things I might perceive - or for what you mean.

But I did not get quite right what you wanted to convey eighter...
And you are right with that.

Last edited by jomen; 10-29-2009 at 04:09 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Trouble running wine from src wine:error while loading shared libraries: libwine.so.1 brynjarh Linux - Newbie 2 05-28-2013 10:59 AM
Problems installing WINE on Fedora Core 6 using $yum install wine rubiks_nerd_90 Linux - Software 4 03-06-2008 08:36 AM
A wine question: Theming wine or changing wine's colour scheme PatrickMay16 General 8 12-17-2006 06:53 AM
Link targets - problems with Wine (Though not Wine specific - Wine site doesn't help) Kevjml Linux - Newbie 1 01-13-2006 07:53 AM
wine: chdir to /tmp/.wine-tom/server-306-33fca : No such file or directory Kinstonian Linux - Software 19 06-21-2003 05:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration