8

Is there any way that I can run this program on my Linux system without possibly getting a virus?

Jorge Castro
  • 71,754
Alex Poulos
  • 1,544
  • 7
  • 19
  • 30
  • You would have to tell us what virus. It could potentially run in wine, in which case it could "infect" any file your user has rw access to ( most anything in /home/your_user ). If you do not run it (or wine) as root it is unlikely to affect system files. – Panther Jan 23 '12 at 03:24
  • Can you tell us exactly what the program is you're trying to run and where you got it from? As bodhi.zaen said, you could simply have a false positive, though it is hard to tell unless we know exactly what you have. – Knowledge Cube Jan 23 '12 at 04:08
  • This is what I'm trying to run: https://www.virustotal.com/file/f9c972b2d60e1ac28563a45f647afee7337f5ff897a51df305b3de2af06da80f/analysis/1327287542/

    its a modifier for a custom IOS for the wii - the guy has insisted its not a virus but 3/42 virus scanners said its a trojan

     – Alex Poulos Jan 23 '12 at 07:16
  • 3
    Great question! :) – Bruno Pereira Jan 23 '12 at 07:18
  • @AlexPoulos The page you linked to looks like it runs the scan across many different antivirus products and displays the results. I've used a similar service in the past (though I can't seem to find its page now). But in general, if you run the file through such a page and only a couple scanners say it is infected, then it's most likely a false positive. If a large portion of them say it is infected (like a third or more), then you should start worrying. Also, it'd be great if you could edit your comment back into your answer, so as to keep things nice and tidy. Thanks! – Knowledge Cube Jan 23 '12 at 07:32
  • @WarriorIng64 thank you for that, but if I wanted to be sure and be absolutely protected, how would I make sure that I wasn't going to be infected by the trojan in a Wine environment? – Alex Poulos Jan 23 '12 at 07:33
  • 1
    @AlexPoulos To that, all I can say is that you can't be sure without actually trying it. This is true regardless of any random file or piece of software one gets from the Internet that's not directly from a reputable organization. You could read and compile the source code yourself if it's provided, or set up a test machine with Wine installed and see what the effects are there. But as I said before, I don't think it should be an issue this time around, although that judgment's based on probability. – Knowledge Cube Jan 23 '12 at 07:38

2 Answers2

11

You would need to run it in an isolated test system, such as a VM and investigate what it does.

What exactly is it ?

It is hard to believe you "need" to run an infected .exe.

It is possible you have a false positive as well (depending on how you detected the virus and what, if any, investigation you have done).

Panther
  • 102,067
  • Its a program someone made for help with modifying a custom IOS for the Wii. https://www.virustotal.com/file/f9c972b2d60e1ac28563a45f647afee7337f5ff897a51df305b3de2af06da80f/analysis/1327287542/ – Alex Poulos Jan 23 '12 at 07:15
8

Be aware please that even tough this will work probably fine, running a virus inside any live system is never a good idea, even if you are sure that you can revert / eliminate the effects of the virus. For a safer approach the answer from bodhi.zazen is recommended. This is the safest steps to run something that is not really safe.

Any program running inside a wine prefix has only access to the virtual bottle in that .wine prefix folder in your home and nothing else. They are closed inside that bottle.

That said it is also true that a default created bottle also creates standard links in to your home folder and root file system, you need to make sure that those are deleted before running the executable. Some pesky trojans will scan drivers for executable or other specific file type and try to infect those.

A better option is to create a new bottle and thus isolating it from your normal bottle, for that you need to run the .exe file on a separate prefix, do that by following this example:

export WINEPREFIX=~/wine_possible_trojan
wine winecfg

At this point look for the mounted points created for the bottle, they should be on the drives tab, remove any letters that are not c:\, that will prevent the trojan of fiddling with any files inside your home or the root file system:

enter image description here

After removing the drivers from the bottle you can run the executable using the bottle you just created with using something like

WINEPREFIX=~/wine_possible_trojan wine path_to_exefile.exe

After that deleting ~/wine_possible_trojan will delete the bottle from your system eliminating the modifications done by the trojan inside that bottle.

If you are unsure you can also install a virus scanner in your Linux system and run that after )and maybe before to see if it picks anything up) deleting the .wine prefix. Have a look at this post for options available:

The other option would be, as bodhi.zazen said, to install VirtualBox from the Ubuntu Software Center, install Ubuntu or Windows (if available) in to a new virtual system in VirtualBox and run the .exe inside that virtual system.

For more information about VirtualBox please visit the Wikipedia page, the official VirtualBox page and have a look at How to install VirtualBox in AskUbuntu.com.

I can see from the AV scan report you added to the comments that only 1 engine picked it up out of all of those on the list, I would say false positive.

Community
  • 1
Bruno Pereira
  • 73,643
  • how do I run this in an isolated environment? – Alex Poulos Jan 23 '12 at 07:15
  • The wine bottle is a sort of isolated environment, delete ~/.wine and that environment is gone. Other then that do what @bodhi.zazen tells you and run it on a virtualbox system. – Bruno Pereira Jan 23 '12 at 07:21
  • what are some virtualbox applications I can download and run for ubuntu? – Alex Poulos Jan 23 '12 at 07:22
  • is there any sure shot way that I can make sure that I won't get infected if I run this? – Alex Poulos Jan 23 '12 at 07:29
  • So its almost similar to a sandbox then? – Alex Poulos Jan 23 '12 at 07:39
  • hmm... the only thing that is keeping me from doing this is a few double checks with the Wine team. I've had a similar question like this before and they gave me some different more discomforting answers, I have clamav and did scan with it and nothing came up. – Alex Poulos Jan 23 '12 at 07:50
  • let us continue this discussion in chat – Alex Poulos Jan 23 '12 at 07:53
  • AFAIK Wine usually has, by default, drive letters set up to point to your home directory and root filesystem. This means the "bottle" you talk about effectively contains your entire home directory plus anything throughout the file system you have permission to access. Maybe this has been changed recently though...? – detly Jan 23 '12 at 08:47
  • @detly no, I don't think so. not entirely sure that if you create a new prefix before running the executable that is also true. thx for the heads up, I will edit the answer to reflect that. – Bruno Pereira Jan 23 '12 at 09:24