Results 1 to 9 of 9

Thread: installed a program under wine, clamav reports Win.Trojan.Ramnit

  1. #1
    Join Date
    Aug 2013
    Beans
    161

    installed a program under wine, clamav reports Win.Trojan.Ramnit

    I made a mistake: I installed a windoze program in wine that's basically a GUI to bootstrap; the program was called Mobirise. Then when I ran a check I do anytime I install anything clamav detected 2 trojans:

    /home/myusername/.wine/drive_c/Program Files (x86)/Mobirise/Qt5Core.dll: Win.Trojan.Ramnit-6068 FOUND
    /home/myusername/.wine/drive_c/Program Files (x86)/Mobirise/Qt5WebKit.dll: Win.Trojan.Ramnit-6196 FOUND

    Does anybody know about Win.Trojan.Ramnit?? and could that conceivably be dangerous to ubuntu 14.4 when installed with wine?? I immediately uninstalled it, deleted the ~/.wine folder, then uninstalled and reinstalled wine with synaptic. But since I had briefly tested Mobirise I freaked!

    Is there any chance of malware having been installed on my system through that? The install of Mobirise in wine never involved the use of sudo, but I wonder if there's any chance of my normal user having been compromised with a keylogger or some other crap.

    And if anybody has specific info on Win.Trojan.Ramnit is and what it's designed to do please tell me! I have done quite a lot of searching on it but haven't managed to get any specific info about it.

    Thanks in advance!!

    Ubuntu Studio 14.4 Trusty 64 bit

  2. #2
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    14,693
    Distro
    Kubuntu Development Release

    Re: installed a program under wine, clamav reports Win.Trojan.Ramnit

    If you removed ~/.wine I don't think you have much to worry about. Writers of malware for Windows don't expect their software to be running in an environment like wine.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Aug 2013
    Beans
    161

    Re: installed a program under wine, clamav reports Win.Trojan.Ramnit

    Thanks SeijiSensei. I probably worried too much about it.

    Do you happen to know anything about Win.Trojan.Ramnit by any chance, what it is designed to do?? A lot of people here seem to know quite a bit about other systems too. Maybe you have had occasion to deal with windows trojans? I've almost no experience with windows, having made the switch from a strictly mac history.
    Last edited by a-you; January 8th, 2016 at 01:16 PM.

  4. #4
    maglin2 is offline Gee! These Aren't Roasted!
    Join Date
    Feb 2014
    Beans
    169

    Re: installed a program under wine, clamav reports Win.Trojan.Ramnit

    Lots of info on ramnit about. Here is one link https://nakedsecurity.sophos.com/201...iminals-grasp/ Note also though that clamav does report false positives sometimes. You could try submitting the detected files to virustotal to see if any other AV thinks they are infected. https://www.virustotal.com/
    Last edited by maglin2; January 8th, 2016 at 05:44 PM. Reason: add virustotal comment

  5. #5
    Join Date
    Aug 2013
    Beans
    161

    Re: installed a program under wine, clamav reports Win.Trojan.Ramnit

    Ah, because I was searching for the whole name "Win.Trojan.Ramnit" but true, lots of info about ramnit. Thanks for that.

    I'm still freaking about this because everything on ramnit says it tries to steal bank info! Does anybody know if ramnit can do anything on a linux system??

    In case anybody else has this bizarre experience it appears that those were likely false positives. One has definitely been reported as a false positive (Qt5WebKit.dll) and the other seems related enough that it perhaps should be considered to be false too.

    Some info:
    https://www.dropboxforum.com/hc/en-u...-Qt5Webkit-dll
    https://community.spiceworks.com/top...dll-as-rootkit
    Last edited by howefield; January 16th, 2016 at 12:56 AM.

  6. #6
    Join Date
    Jun 2005
    Beans
    Hidden!

    Re: installed a program under wine, clamav reports Win.Trojan.Ramnit

    Hi i had something similar a few months back and I contacted Wine myself to be sure.
    Risks


    11.1. Wine is malware-compatible

    Just because Wine runs on a non-Windows OS doesn't mean you're protected from viruses, trojans, and other forms of malware.
    There are several things you can do to protect yourself:


    • Never run executables from sites you don't trust. Infections have already happened.
    • In web browsers and mail clients, be suspicious of links to URLs you don't understand and trust.
    • Never run any application (including Wine applications) as root (see above).
    • Use a virus scanner, e.g. ClamAV is a free virus scanner you might consider using if you are worried about an infection; see also Ubuntu's notes on how to use ClamAV. No virus scanner is 100% effective, though.
    • Removing the default Wine Z: drive, which maps to the unix root directory, is a weak defense. It will not prevent Windows applications from reading your entire filesystem, and will prevent you from running Windows applications that aren't reachable from a Wine drive (like C: or D. A workaround is to copy/move/symlink downloaded installers to ~/.wine/drive_c before you can run them.
    • If you're running applications that you suspect to be infected, run them as their own Linux user or in a virtual machine (the ZeroWine malware analyzer works this way).



    11.2. How good is Wine at sandboxing Windows apps?

    Wine does not sandbox in any way at all. When run under Wine, a Windows app can do anything your user can. Wine does not (and cannot) stop a Windows app directly making native syscalls, messing with your files, altering your startup scripts, or doing other nasty things.
    You need to use AppArmor, SELinux or some type of virtual machine if you want to properly sandbox Windows apps.
    Note that the winetricks sandbox verb merely removes the desktop integration and Z: drive symlinks and is not a true sandbox. It protects against errors rather than malice. It's useful for, e.g., keeping games from saving their settings in random subdirectories of your home directory.
    Form Here http://wiki.winehq.org/FAQ
    Maybe Helpful to others.
    Here is my old thread http://ubuntuforums.org/showthread.php?t=2280054
    They all turned out to be false positives
    Regards
    Last edited by QDR06VV9; January 17th, 2016 at 02:48 AM. Reason: spell

  7. #7
    Join Date
    Jan 2016
    Beans
    4

    Re: installed a program under wine, clamav reports Win.Trojan.Ramnit

    I have had this experience and you're right, they were false positives.

  8. #8
    Join Date
    Nov 2013
    Location
    On the edge
    Beans
    872
    Distro
    Ubuntu

    Re: installed a program under wine, clamav reports Win.Trojan.Ramnit

    Quote Originally Posted by a-you View Post
    I'm still freaking about this because everything on ramnit says it tries to steal bank info! Does anybody know if ramnit can do anything on a linux system??
    In wine yes. In linux no.
    If you're still worried, then change your bank password. If they managed to get your password then if you change it there won't be any more issues.
    Knock knock.
    Race condition.
    Who's there?

  9. #9
    Join Date
    Aug 2013
    Beans
    161

    Re: installed a program under wine, clamav reports Win.Trojan.Ramnit

    I'll mark this solved because it really seems likely that they were false positives.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •