3

My laptop runs on Ubuntu and was recently infected with the brontok virus it managed to infect my Ubuntu - through my flash drive - because I have Wine installed. I had used the USB in an infected Windows computer belonging to someone I know. It creates .exe files in random application folders.

I've found .exe files in the folder for Openshot video editor, Audacity, Wine, it sometimes creates an .exe file in my Desktop folder, it creates the classic Brontok image with the green background in my Pictures folder as an HTML file and if I delete these, they just reappear each time I switch my computer back on.

I can't even name all the folders this worm is making .exe files in. They're all over and deleting doesn't help. A comprehensive guide on how to remove it is appreciated.

blade19899
  • 26,704
Deisie
  • 33
  • 3

1 Answers1

9

I will show you how to delete wine and the virus it self, step by step:

Step One:

Run the following command(s) in your terminal:

This will purge wine from your system:

  • sudo apt-get purge wine

Step Two:

Just in case apt-get could not delete a Wine .exe file for whatever reason, delete the entire wine folder. It resides in your home folder like so: .wine/

  • sudo rm -rfv ~/.wine/

Step Three:

To make sure no wine process is still loaded:

  • sudo reboot

This will reboot your system, without confirmation.

You can run the following command after the reboot to see which .exe process is still loaded:

ps aux | grep .exe

And then force close it:

killall -9 brontok.exe

Make sure you know that the process is malicious.

Step Four:

Run this in your home folder, it will try to find any file that ends with the .exe prefix.

  • find ~/ -type f -name "*.exe"

Step Five:

The previous find command will display the path of the .exe file(s), delete every .exe file you don't trust. Like so:

  • sudo rm -f /path/to/maybe-a-virus.exe

Step Six:

Scan with an Antivirus for linux, like clam antivirus. How to install and scan here:

Notes:

clamav does not have a large database of Windows viruses compared to the mayor Antivirus Corporations. If you are not a hundred percent convinced of the legality of a file, you can upload it to:

At the time of writing, it use 57 anti viruses to scan files. Its still not a hundred percent accurate, but, it is right for about 99% of the time. My personal experience.

Mono names its binaries to .exe, So, not all .exe files you don't know, are harmful. For a list of Linux projects that use mono, see:

Here is a quote - my own - that comments about the security benefits from using PlayOnLinux:

"My preferred graphical front-end for Wine is PlayOnLinux, with that you have more control over your Wine environment, and there is a separate environment per application. So, if you happened to get infected by using Safari, use the Configuration options to examine and/or restore, or just delete the entire Safari Volume." - blade19899, malware - Do Wine Viruses only work while Wine is running?

It's a bit safer than using wine.

Step Seven:

After you're absolutely sure that your virus is gone, re-install wine:

sudo apt-get install wine

Links:

Community
  • 1
blade19899
  • 26,704
  • 3
    I would recommend deleting every single .exe, even if you "trust" it. – jrg Jun 22 '15 at 13:48
  • @jrg Some application use mono, mono names binaries .exe. So, banshee uses mono, if you delete all the .exe files, you risk breaking software that are legit. – blade19899 Jun 22 '15 at 13:56
  • Thank you, this seems like it could work, I only have one question - If I follow these instructions, I'm assuming I won't be able to run wine any more (it will be deleted, after all). That's a problem for me, I use wine. Can I just re-install wine after doing this? – Deisie Jun 22 '15 at 14:16
  • @Deisie yes you can reinstall wine, if you are absolutely sure you deleted the virus. As I mentioned in my answer, its slightly saver so use PlayOnLinux. – blade19899 Jun 22 '15 at 14:20
  • I did what you said (amazingly enough, I managed), but I'm finding it difficult to install clamav. I downloaded it, and extracted the zip folder, but when I type the command, I just get this: – Deisie Jun 22 '15 at 16:00
  • Reading state information... Done Package clamav is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source

    E: Package 'clamav' has no installation candidate mylaptop@Mylaptop-Laptop:~$

     – Deisie Jun 22 '15 at 16:01
  • @Deisie, you can install clamav because you are running a version of Ubuntu thats no longer supported. That being said, you can skip clamav. And upload .exe files that you find suspicious. There are other Anti viruses that you can try to install, but, not sure if they support outdated Ubuntu versions. – blade19899 Jun 22 '15 at 16:07
  • @Deisie: As you're a reputation 6 user: If this answer helped you, don't forget to click the grey at the left of this text, which means Yes, this answer is valid! ;-) And you should read this as well – Fabby Jun 23 '15 at 10:15
  • 2
    @blade19899, I know it's a been a lifetime since I asked the question, but I finally came back today and realised I hadn't accepted the answer yet. I've accepted it now. Thank you for all your help, your instructions did in fact, remove the virus. Luckily I eventually get around to updating my Ubuntu altogether, so now I can install new programs and stuff. – Deisie Feb 29 '16 at 21:59
  • @Deisie No problem. Glad to be off help! – blade19899 Mar 01 '16 at 08:06