View Full Version : [ubuntu] Wine And Windows Malware

Reg Editor
May 9th, 2008, 10:08 PM
If Wine is used to open an .exe file that contains malware,can it do any harm?

May 9th, 2008, 10:09 PM
Highly unlikely :)

May 9th, 2008, 10:21 PM
A little while ago, Matt Moen wrote an article on linux.com (full article here (http://www.linux.com/feature/42031)) documenting an experiment in which he intentionally tried to run several popular windows viruses using wine. In short, they all failed miserably to do any real damage. Linux simply lacks the shoddy programming and poorly-thought-out implementations that make windows so perceptible to nastiness. :)

May 10th, 2008, 05:26 AM
If Wine is used to open an .exe file that contains malware,can it do any harm?

That depends on your definition of harm. They can certainly cause problems for other people.

See my post here: http://ubuntuforums.org/showthread.php?t=781357

The Cog
May 10th, 2008, 12:01 PM
It depends on what the malware is trying to do. Wine isn't close enough to windows for most viruses to be able to do their normal infection tricks. But malware that isn't so closely tuned to windows specifics might be able to do bad things. For instance a trojan that scans files for credit card details while playing a game might have a good chance of working normally (by default wine maps Z: to / so the whole Linux filesystem is there to spy on).

May 10th, 2008, 05:38 PM
No you have nothing to worry about. Wine is a recreation of the windows API and the vast majority of malware will try to make itself persistant by writing registry keys and/or patching a driver so it gets loaded at boot. Wine doesn't have that base structure to begin with.

There's a good reason the malware lab I work in is entirely linux. We have VMware images of each version of windows with tools and debuggers loaded to examine files. After all after we infect the VM we can just roll back to a clean snapshot.

May 12th, 2008, 04:44 PM
Wine kinda runs as a sandbox for the malware. If it wants to copy itself into /system32. Wine will create /system32 and copy it into their. But for deleting specific files like taskmgr.exe. Or chaning registry it cant

May 13th, 2008, 07:55 AM
Programs CAN change registry keys throw wine !

Alex Carroll
May 13th, 2008, 01:11 PM
I have Wine make a virtual desktop, so when it's running I'll know. If malware continued to run after I shut a program down, I could just run "wineserver -k" to stop all Windows processes.

May 13th, 2008, 03:50 PM
Yes a pseudo wine registry. Linux doesn't use it so it's really not an issue.

Malware will not affect the linux system from wine. Don't PANIC

January 27th, 2009, 05:53 PM
I have been trying out carefully to find out what happens when I try to infect a machine (not my production one) with a virus when running WINE under Ubuntu Interpid Ibex.

I downloaded a number exe files from dubious sites in Indonesia and Brazil, where I thoght I might be able to catch Conficker.

They were placed on my desktop.

I then ran Klamav and some of them were identified as infected. I trashed those, and also negated their permissions to execute in the trash file.

I don't yet know how to shred the trash file, and some say it can't be done on an ext3 system.

I tried downloading and running AVG v8 on the Windows 'machine' and though AVG started it wouldn't complete.

So unless someone knows of Windows compatible anti-vial software that will download and run in such circumstances, I'm going back to not using WINE, and if there isn't a Ubuntu solution, do without.

But since there are at least another 16950 packages to try, I don't think I'll mind!

Agent ME
January 28th, 2009, 04:47 AM
You don't have to worry about the virus files once they're deleted and not being run. Don't worry about shredding the trash, the file won't be able to undelete itself.

Just make sure the virus program isn't still running (easiest way is to log out and log back in), and you're fine. Theoretically the virus could have edited other .exe files you have, so maybe delete those too or check that they have the same old checksum.