Skip to main content

:Linux: Wine How- to | Running Windows viruses with Wine

t just isn't fair that Windows users get all the viruses. I mean really, shouldn't Linux users be in on the fun as well? Well... thanks to the folks running the Wine project, Linux users can "catch the virus bug" too -- sort of.

Linux just isn't user-friendly when it comes to viruses. You have to work to find and run them. It doesn't happen automatically as it does with Windows. The GNU/Linux folks really should improve this glaring discrepancy.

While I have friends that collect viruses, I didn't need to bother them. I found plenty by looking through my staggering collection of bogofilter sorted mail. I apt-getted a copy of ClamAV, and after siccing it at my spam-and-other-things-I-don't-want-to-read collection, I yanked out a half-dozen unique, only Windows-compatible, viruses. That "only Windows-compatible" part was about to change.
Klez

Amazingly, Klez ran, but Wine kept on spewing out errors about "ntdll." After Googling to find out what Klez was supposed to do, I discovered that it's supposed to scour your system for email addresses, then mail itself out in a mostly un-RFC fashion. I didn't want to miss out on this, so I added my e-mail address to a .txt file under ~/.wine/fake_windows/Windows/Desktop/ and re-ran the virus. After waiting for a few minutes, and receiving no mail, I gave Symantec's summary of the Klez virus another look. Klez is so un-RFC compliant that it doesn't even bother to query DNS for the mail server of a given domain. It just tries "smtp.domainname.com." My mail server isn't named smtp.mydomain.com, but the Panix ISP (where I have a shell account) has such a host, so I edited my .txt file and tried again. After waiting half an hour, still nothing. Was networking working with Wine? I downloaded a copy of putty, and that worked. Panix must be blocking Klez via a Postfix regex or something. I give Klez 2/5 Penguins for at least running, but not doing what it's supposed to.

MyDoom
MyDoom seemed to be a .zip file, (the file command concurred) but Info-ZIP's unzip command couldn't even unzip it. That's about as un-Linux compatible as you can get. 0/5 penguins.

Sobig

According to ClamAV, I had two different strains of the Sobig worm. Both of them ran. Sobig is supposed to create a winstt32.dat file. There wasn't a file named that anywhere under my fake_windows directory. It didn't send me email either. 2/5 penguins, as it's about as Linux compatible as Klez.
SCO worm

A virus named after SCO that was designed to DoS attack SCO should definitely be Linux compatible, right? The SCO virus (at least according to ClamAV) is actually just a variant on the MyDoom worm, but unlike MyDoom I was able to unzip this on Linux.

Not only does it run, but it actually dumped its payload at ~/.wine/fake_windows/Windows/System/shimgapi.dll! Unfortunately, that's all it did before it terminated. I mean, if it had kept on running, I might have been sufficiently tempted to set my system clock to February 3, 2004, in order to get in on the DoS fun! It must require Windows to bone-headedly execute its payload. I'll give it 3/5 penguins for actually doing something. Plus, whoever modified MyDoom like this actually seemed to put some thought into making it more Linux-compatible. That's what I call progress.
SomeFool

The SomeFool first-generation worm (Netsky.D according to some folks) actually installs its winlogon.exe file under Wine, and, as an added bonus, seems to get stuck in an endless loop, thus really having a negative performance impact on my Linux machine! I'll give this one 4/5 penguins for not only running and sort of doing what it was supposed to, but actually doing mildly bad things to Linux -- at least until I hit Control-C in the terminal from which I was running Wine to stop it dead.

Conclusion

Out of the five Windows viruses I ran under Wine, not a single one was able to send email and propagate itself. When I went out of my way to be part of the Windows community by doing my part to propagate Windows viruses (lots of Windows users seem to think this is important, seeing as how they run random executables and use Microsoft Outlook and Internet Explorer) I discovered that it couldn't easily be done with GNU/Linux tools. Oh sure, I could manually forward these viruses to the folks in my address book, but where's the fun in that? Besides, these viruses usually lie in the From: line and use a handful of different Subject: lines. As a GNU/Linux user, I really don't want to miss out on these important functionalities.

I tip my hat to the creators of the SomeFool virus, for actually (albeit temporarily and minimally) affecting my Linux experience. However, if that's the most damage I can get by running viruses with Wine under a dummy account, then it's clear that the Wine developers have a long way to go before Wine is truly Windows compatible.


Source
NewsForge.com

Comments

  1. This is rather amusing. Good work :)

    ReplyDelete
  2. [...] It’s very common to remember viruses, instability and stupidity when we talk about Microsoft windows operating system, and now we have to add Power consumption :-) Connect any USB 2.0 device to your notebook and lose more than one hour of battery time: Tom’s Hardware Guide’s tests of a Windows-based Intel Core Duo mobile processor platform revealed a serious power consumption issue that, according to Intel, is caused by a Microsoft driver bug - a bug that has been known by Microsoft for some time, but kept from the public eye until today. [...]

    ReplyDelete
  3. Thats hilarious, I was looking for what virii would do in Wine, and this just made me laugh!!

    Peace

    ReplyDelete
  4. [...] Originally Posted by bangorme 2) I'm running World of Warcraft on Wine. Does Wine have the same susceptibilities that Windows has? If it does, since I'm not running anything but WOW on Wine, is it possible for keyloggers to cross from Linux into Wine? I know nothing about WOW (the only game I play in Linux is chess, and I use native Linux programs for that). But I have read a number of entertaining articles posted by users who have tried (unsuccessfully) to get virus to run fully under wine. Take a look at some of these entertaining reads: Jad

    ReplyDelete

Post a Comment

Popular posts from this blog

اهم التطورات العلمية في العام ٢٠١٩

Dear Microsoft : It's over. Our relationship just hasn't been working for a while, and now, this is it. I'm leaving you for another Operating system. I know this isn't a good time--you're down with yet another virus. I do hope you feel better soon--really, I do--but I, too, have to move on with my life. Fact is, in the entire time I've known you, you seem to always have a virus or an occasional worm. You should really see a doctor. That said, I just can't continue with this relationship any longer. I know you say you'll fix things, that next time it'll go better--but that's what you said the last time--and the time before that. Each time I believed you. Well, not any longer. You cheater! The truth is there's nothing more you can say to make things better. I know about your secret marriage to patent. You say you two are not seeing each other anymore, but I just don't believe it. You say you can live without patent, and I've heard that

القضاء: لا دليل على أن مقتحمي الكونغرس خططوا لقتل مشرعين

أكد محققو وزارة العدل الأمريكية أنهم لم يجدوا حتى الآن أي دليل على أن أنصار دونالد ترامب الذين هاجموا مبنى الكونغرس الأسبوع الماضي خططوا لاحتجاز مسؤولين منتخبين وقتلهم. يأتي ذلك في الوقت الذي أُوقفت فيه الشرطة، الجمعة، رجلا مسلّحا في واشنطن خلال محاولته عبور إحدى نقاط التفتيش في محيط مبنى الكونغرس حيث ستقام الأربعاء مراسم تنصيب جو بايدن. في ذات الوقت أفادت شبكة NBC الأمريكية، بأن مكتب التحقيقات الفيدرالي يحقق في إمكانية تمويل حكومات أو جماعات اقتحام مبنى الكونغرس. وقالت مصادر للشبكة: "المكتب يحقق في مدفوعات "بيتكوين" بقيمة 500 ألف دولار، يبدو أنه تم تحويلها من قبل مواطن فرنسي، لشخصيات ومجموعات رئيسية يمينية قبل اندلاع أعمال الشغب". وفي جلسة استماع في محكمة أريزونا بشأن اعتقال أحد مثيري الشغب جاكوب تشانسلي الذي يؤمن بنظرية المؤامرة ومن أتباع الحركة اليمينية المتطرفة "كيو-آنون"، تراجع المدعون الفيدراليون عن اتهامات سابقة بأن أنصار ترامب كانوا يخططون "لاحتجاز مسؤولين منتخبين وقتلهم" في هجوم السادس من كانون الثاني/ يناير في واشنطن. ع