installed a program under wine, clamav reports Win.Trojan.Ramnit

**a-you** · January 7th, 2016

I made a mistake: I installed a ******* program in wine that's basically a GUI to bootstrap; the program was called Mobirise. Then when I ran a check I do anytime I install anything clamav detected 2 trojans:

/home/myusername/.wine/drive_c/Program Files (x86)/Mobirise/Qt5Core.dll: Win.Trojan.Ramnit-6068 FOUND
/home/myusername/.wine/drive_c/Program Files (x86)/Mobirise/Qt5WebKit.dll: Win.Trojan.Ramnit-6196 FOUND

Does anybody know about Win.Trojan.Ramnit?? and could that conceivably be dangerous to ubuntu 14.4 when installed with wine?? I immediately uninstalled it, deleted the ~/.wine folder, then uninstalled and reinstalled wine with synaptic. But since I had briefly tested Mobirise I freaked!

Is there any chance of malware having been installed on my system through that? The install of Mobirise in wine never involved the use of sudo, but I wonder if there's any chance of my normal user having been compromised with a keylogger or some other crap.

And if anybody has specific info on Win.Trojan.Ramnit is and what it's designed to do please tell me! I have done quite a lot of searching on it but haven't managed to get any specific info about it.

Thanks in advance!!

Ubuntu Studio 14.4 Trusty 64 bit

**SeijiSensei** · January 8th, 2016

If you removed ~/.wine I don't think you have much to worry about. Writers of malware for Windows don't expect their software to be running in an environment like wine.

**a-you** · January 8th, 2016

Thanks SeijiSensei. I probably worried too much about it.

Do you happen to know anything about Win.Trojan.Ramnit by any chance, what it is designed to do?? A lot of people here seem to know quite a bit about other systems too. Maybe you have had occasion to deal with windows trojans? I've almost no experience with windows, having made the switch from a strictly mac history.

**maglin2** · January 8th, 2016

Lots of info on ramnit about. Here is one link https://nakedsecurity.sophos.com/201...iminals-grasp/ Note also though that clamav does report false positives sometimes. You could try submitting the detected files to virustotal to see if any other AV thinks they are infected. https://www.virustotal.com/

**a-you** · January 9th, 2016

Ah, because I was searching for the whole name "Win.Trojan.Ramnit" but true, lots of info about ramnit. Thanks for that.

I'm still freaking about this because everything on ramnit says it tries to steal bank info! Does anybody know if ramnit can do anything on a linux system??

In case anybody else has this bizarre experience it appears that those were likely false positives. One has definitely been reported as a false positive (Qt5WebKit.dll) and the other seems related enough that it perhaps should be considered to be false too.

Some info:
https://www.dropboxforum.com/hc/en-u...-Qt5Webkit-dll
https://community.spiceworks.com/top...dll-as-rootkit

**QDR06VV9** · January 11th, 2016

Hi i had something similar a few months back and I contacted Wine myself to be sure.

Risks

11.1. Wine is malware-compatible

Just because Wine runs on a non-Windows OS doesn't mean you're protected from viruses, trojans, and other forms of malware.
There are several things you can do to protect yourself:

Never run executables from sites you don't trust. Infections have already happened.
In web browsers and mail clients, be suspicious of links to URLs you don't understand and trust.
Never run any application (including Wine applications) as root (see above).
Use a virus scanner, e.g. ClamAV is a free virus scanner you might consider using if you are worried about an infection; see also Ubuntu's notes on how to use ClamAV. No virus scanner is 100% effective, though.
Removing the default Wine Z: drive, which maps to the unix root directory, is a weak defense. It will not prevent Windows applications from reading your entire filesystem, and will prevent you from running Windows applications that aren't reachable from a Wine drive (like C: or D. A workaround is to copy/move/symlink downloaded installers to ~/.wine/drive_c before you can run them.
If you're running applications that you suspect to be infected, run them as their own Linux user or in a virtual machine (the ZeroWine malware analyzer works this way).

11.2. How good is Wine at sandboxing Windows apps?

Wine does not sandbox in any way at all. When run under Wine, a Windows app can do anything your user can. Wine does not (and cannot) stop a Windows app directly making native syscalls, messing with your files, altering your startup scripts, or doing other nasty things.
You need to use AppArmor, SELinux or some type of virtual machine if you want to properly sandbox Windows apps.
Note that the winetricks sandbox verb merely removes the desktop integration and Z: drive symlinks and is not a true sandbox. It protects against errors rather than malice. It's useful for, e.g., keeping games from saving their settings in random subdirectories of your home directory.

Form Here http://wiki.winehq.org/FAQ
Maybe Helpful to others.
Here is my old thread http://ubuntuforums.org/showthread.php?t=2280054
They all turned out to be false positives
Regards

**Shane_Mundee** · January 16th, 2016

I have had this experience and you're right, they were false positives.

**bashiergui** · January 17th, 2016

Originally Posted by a-you

I'm still freaking about this because everything on ramnit says it tries to steal bank info! Does anybody know if ramnit can do anything on a linux system??

In wine yes. In linux no.
If you're still worried, then change your bank password. If they managed to get your password then if you change it there won't be any more issues.