Thursday, January 27, 2005

:Linux: Wine How- to | Running Windows viruses with Wine

t just isn't fair that Windows users get all the viruses. I mean really, shouldn't Linux users be in on the fun as well? Well... thanks to the folks running the Wine project, Linux users can "catch the virus bug" too -- sort of.

Linux just isn't user-friendly when it comes to viruses. You have to work to find and run them. It doesn't happen automatically as it does with Windows. The GNU/Linux folks really should improve this glaring discrepancy.

While I have friends that collect viruses, I didn't need to bother them. I found plenty by looking through my staggering collection of bogofilter sorted mail. I apt-getted a copy of ClamAV, and after siccing it at my spam-and-other-things-I-don't-want-to-read collection, I yanked out a half-dozen unique, only Windows-compatible, viruses. That "only Windows-compatible" part was about to change.
Klez

Amazingly, Klez ran, but Wine kept on spewing out errors about "ntdll." After Googling to find out what Klez was supposed to do, I discovered that it's supposed to scour your system for email addresses, then mail itself out in a mostly un-RFC fashion. I didn't want to miss out on this, so I added my e-mail address to a .txt file under ~/.wine/fake_windows/Windows/Desktop/ and re-ran the virus. After waiting for a few minutes, and receiving no mail, I gave Symantec's summary of the Klez virus another look. Klez is so un-RFC compliant that it doesn't even bother to query DNS for the mail server of a given domain. It just tries "smtp.domainname.com." My mail server isn't named smtp.mydomain.com, but the Panix ISP (where I have a shell account) has such a host, so I edited my .txt file and tried again. After waiting half an hour, still nothing. Was networking working with Wine? I downloaded a copy of putty, and that worked. Panix must be blocking Klez via a Postfix regex or something. I give Klez 2/5 Penguins for at least running, but not doing what it's supposed to.

MyDoom
MyDoom seemed to be a .zip file, (the file command concurred) but Info-ZIP's unzip command couldn't even unzip it. That's about as un-Linux compatible as you can get. 0/5 penguins.

Sobig

According to ClamAV, I had two different strains of the Sobig worm. Both of them ran. Sobig is supposed to create a winstt32.dat file. There wasn't a file named that anywhere under my fake_windows directory. It didn't send me email either. 2/5 penguins, as it's about as Linux compatible as Klez.
SCO worm

A virus named after SCO that was designed to DoS attack SCO should definitely be Linux compatible, right? The SCO virus (at least according to ClamAV) is actually just a variant on the MyDoom worm, but unlike MyDoom I was able to unzip this on Linux.

Not only does it run, but it actually dumped its payload at ~/.wine/fake_windows/Windows/System/shimgapi.dll! Unfortunately, that's all it did before it terminated. I mean, if it had kept on running, I might have been sufficiently tempted to set my system clock to February 3, 2004, in order to get in on the DoS fun! It must require Windows to bone-headedly execute its payload. I'll give it 3/5 penguins for actually doing something. Plus, whoever modified MyDoom like this actually seemed to put some thought into making it more Linux-compatible. That's what I call progress.
SomeFool

The SomeFool first-generation worm (Netsky.D according to some folks) actually installs its winlogon.exe file under Wine, and, as an added bonus, seems to get stuck in an endless loop, thus really having a negative performance impact on my Linux machine! I'll give this one 4/5 penguins for not only running and sort of doing what it was supposed to, but actually doing mildly bad things to Linux -- at least until I hit Control-C in the terminal from which I was running Wine to stop it dead.

Conclusion

Out of the five Windows viruses I ran under Wine, not a single one was able to send email and propagate itself. When I went out of my way to be part of the Windows community by doing my part to propagate Windows viruses (lots of Windows users seem to think this is important, seeing as how they run random executables and use Microsoft Outlook and Internet Explorer) I discovered that it couldn't easily be done with GNU/Linux tools. Oh sure, I could manually forward these viruses to the folks in my address book, but where's the fun in that? Besides, these viruses usually lie in the From: line and use a handful of different Subject: lines. As a GNU/Linux user, I really don't want to miss out on these important functionalities.

I tip my hat to the creators of the SomeFool virus, for actually (albeit temporarily and minimally) affecting my Linux experience. However, if that's the most damage I can get by running viruses with Wine under a dummy account, then it's clear that the Wine developers have a long way to go before Wine is truly Windows compatible.


Source
NewsForge.com

5 comments:

  1. This is rather amusing. Good work :)

    ReplyDelete
  2. [...] It’s very common to remember viruses, instability and stupidity when we talk about Microsoft windows operating system, and now we have to add Power consumption :-) Connect any USB 2.0 device to your notebook and lose more than one hour of battery time: Tom’s Hardware Guide’s tests of a Windows-based Intel Core Duo mobile processor platform revealed a serious power consumption issue that, according to Intel, is caused by a Microsoft driver bug - a bug that has been known by Microsoft for some time, but kept from the public eye until today. [...]

    ReplyDelete
  3. Thats hilarious, I was looking for what virii would do in Wine, and this just made me laugh!!

    Peace

    ReplyDelete
  4. [...] Originally Posted by bangorme 2) I'm running World of Warcraft on Wine. Does Wine have the same susceptibilities that Windows has? If it does, since I'm not running anything but WOW on Wine, is it possible for keyloggers to cross from Linux into Wine? I know nothing about WOW (the only game I play in Linux is chess, and I use native Linux programs for that). But I have read a number of entertaining articles posted by users who have tried (unsuccessfully) to get virus to run fully under wine. Take a look at some of these entertaining reads: Jad

    ReplyDelete