Viruses in wine?

Question

The Story

I installed wine some time ago, and after trying out some versions of Cinema 4D that were "free", I looked in the comments of the videos, and saw some people complaining about viruses. I got worried, downloaded and installed MalwareBytes, and scanned my "system". Of course, since MalwareBytes was runnning through Wine, it only scanned ~/.wine/C:. It found many viruses/trojans and I opted to delete them. I did so.

Questions:

Assuming there is any malware left, can this malware spread into my OS? Tell me the entire truth on what can happen.
I deleted my entire .wine directory and am planning to uninstall wine later. I am the only user out of the three on this system that runs wine programs, but wine is installed for all. Is that enough, or must I do more? Please be specific on what I should do because I want to be 100% sure that there are no viruses.

I am sure that many others have these questions too, so please answer this question to the point.

Additional information:

Wine was installed with sudo-apt get. The exact commands can be found here: https://www.youtube.com/watch?v=_cQW70dsVsM

Commands:

sudo add-apt-repository ppa:ubuntu-wine/ppa -y
sudo apt-get update
sudo apt-get install wine1.6 -y

I did try to install a font that was a ttf font. I tried to convert it to otf with no success. Then, I placed it in the fonts directory directly. I then saw that some people said it was malicious, and I removed it.

This question was flagged as a duplicate of this question: Risks/Disadvantages associated with Wine
It is not the same. This question is more precise, as it specifies two scenarios involving viruses, not risks of viruses. The other question talked about Internet Explorer; this one does not mention the installation of any programs.

Note: wine was installed with sudo privileges, so does that mean it runs with sudo privileges?

If you want to be 100% sure, there's only one way: nuke the system. Format, overwrite with zeros, reinstall. — muru, Apr 11 '15 at 11:27
@muru I know that that would entirely solve my problem, but I want a solution without having to do that. — Distant Graphics, Apr 11 '15 at 11:28
Then you can never be 100% sure. So target something reasonable. — muru, Apr 11 '15 at 11:28
@muru Something reasonable: the questions included above. For example: did deleting the '.wine' directory do enough? — Distant Graphics, Apr 11 '15 at 11:29
Can't say without knowing what viruses you had, and what the state of the system was before you got them. Viruses in wine operate with the same level of access as any program run by you. They could, if written to work with Wine, access anything in your home folder, or /tmp, for example. — muru, Apr 11 '15 at 11:32
The linked video in the question is in Portuguese, so I'll provide a synopsis of it in English. It's a walkthrough desktop recording of installing Wine in Ubuntu 13.10 from the PPA (not the latest version of Wine) followed by installing Adobe Photoshop CS6. — karel, Apr 11 '15 at 11:48
Correct... but I am not a computer expert, so I had no idea that that was not the latest version of Wine. — Distant Graphics, Apr 11 '15 at 11:49
The latest version of Wine in the Wine Team PPA is wine1.7 for all supported versions of Ubuntu. — karel, Apr 11 '15 at 11:54

Tobia Tesan · Accepted Answer · 2015-04-11T16:41:41.840

5

No, Windows malware can't "spread" to the host Linux system.

No, Windows malware doesn't "spread" across Wine prefixes.

For both questions, a theoretical possibility is not to be ruled out, but it would mean that the malware writers would deliberately attempt to target Wine systems, which is extremely unlikely - unless you are a security researcher you don't care about this.

By nuking your .wine you should be okay.

Nota bene: Windows malware in Wine can do all sorts of bad things to files it has permissions to access, which includes your home directory. Windows malware can't spread to the Linux host, but it can nuke files in your Linux home directory.

EDIT: Of course, the likelihood of having false positives if you scan an entire Wine installation with a Windows antimalware tool is probably greater than everything else.

edited Apr 11 '15 at 16:41

answered Apr 11 '15 at 11:46

Tobia Tesan

486

1

This partially answers my question. However this brings up a new question: do I need to deinstall wine entirely, for the entire system? – Distant Graphics Apr 11 '15 at 11:48
1

As I said, by removing your .wine directory you should be okay. If you want to play it really safe check the rest of your home folder and your /tmp folder for suspicious .exe files and zap them too. In practice, by doing this, I think, we cover basically all realistic possibilities. – Tobia Tesan Apr 11 '15 at 11:51
I found a bunch of things in /etc/alternatives called "fakeroot". Does anybody know what that is? They are all .gz files. I also found a random .ttf "fonts-japanese-gothic.ttf" – Distant Graphics Apr 11 '15 at 11:56
As I mentioned, remove your .wine, remove any *exe files from /tmp and your home directory and stop. /etc/alternatives/fakerootin particular is a legit file used by update-alternatives, leave it alone. – Tobia Tesan Apr 11 '15 at 12:01
Ok. Thanks, so just /tmp? – Distant Graphics Apr 11 '15 at 12:04
And, more importantly, your home directory. Looking outside your .wine is playing it safe, wandering outside your home directory borders on paranoid. By the way, welcome to Stack Exchange. If you find an answer useful please consider upvoting it and accepting the most useful one if you receive multiple answers. – Tobia Tesan Apr 11 '15 at 12:10
Alright, thanks. I already deleted MY and only MY .wine directory /home/[my user directory]/.wine got deleted. – Distant Graphics Apr 11 '15 at 12:11
Update: I found something having to do with chrome in /tmp with cookie data inside. (at least I think it's cookie data. I found .ICE-unix, .wine-1001, .X11-unix, .XO-lock, .xfsm-ICE-4J85WX, and config-err-rCl0yT. – Distant Graphics Apr 11 '15 at 12:20
Those are legit files. Leave them alone. Don't be paranoid. You only care about Windows executable (*.exe) files anyway. If there isn't any, just leave /tmp alone. – Tobia Tesan Apr 11 '15 at 12:39
It seems that the virus has something to do with wine. Just as a test, I went to my start menu and randomly started up wine. It "updated" my .wine folder, which didn't exist, and when it was done, I redownloaded and reinstalled MalwareBytes, and it found more baddies. ._. – Distant Graphics Apr 11 '15 at 14:49
The fact that Wine, upon launch, creates a .wine folder if it does not exist, seems only natural to me. At this point I'm curious to see the output of MalwareBytes. If you did not do anything else, false positives are many times more likely than some weird malware specifically targeting Wine, let alone multiple different Wine-targeting malware. Note that MalwareBytes is a Windows program and there is no guarantee that it will work under Wine. If you are concerned, try a Linux specific tool (one that can detect Windows malware too) and see what happens. – Tobia Tesan Apr 11 '15 at 15:48
I would like to take a screenshot but I don't feel like messing with wine again... I do remember that most of the baddies found were trojans (e.g. trojan.agent) and the rest were something called brokencode or something like that – Distant Graphics Apr 11 '15 at 15:54
Anyway note that long-winding comment threads are discouraged here - SE is not a forum. My opinion is that in all likelihood you are simply having false positives, and that's unsurprising since you are trying to use a Windows tool on a Wine machine (one that must look like a very weird Windows machine to your software). If you want to go deeper, I suggest you take it to the MalwareBytes forum and see if they can help you there. Alternatively, try installing MalwareBytes on a clean Ubuntu machine. My money is on the exact same beahviour reappearing. – Tobia Tesan Apr 11 '15 at 15:54
@DistantGraphics: just contemplate for an instant that malware often changes system files and DLLs, so antimalware tools often look for those as signs of malware activity. And the C:\WINNT directory of a Wine installation must certainly look weird. Unless you can confirm that on a clean Wine install on a clean Ubuntu machine your antivirus does not return false positives, those probably are false positives. I would avoid scanning your Wine directory with Windows security tools, because it's a Wrong Thing to do - it's like a man going to a gynecologist who doesn't notice the difference. – Tobia Tesan Apr 11 '15 at 16:01

Viruses in wine?

The Story

Questions:

Additional information:

1 Answers1

Linked

Related