Malware (RansomWare) in Wine installation.

Open forum for end-user questions about Wine. Before asking questions, check out the Wiki as a first step.
Forum Rules
Locked
DrewTWeb
Level 1
Level 1
Posts: 5
Joined: Tue Sep 12, 2017 8:59 pm

Malware (RansomWare) in Wine installation.

Post by DrewTWeb »

Hi folks,

Caution on installing Wine. Contains RansomWare at this time.

Please clean this from the installs and remedy the situation so that this can be avoided in the future.

If it isn't really RansomWare, please inform me as to the reason why it contains this?

Thanks.

Sincerely,
Drew.
Attachments
Installed Wine. <br />Ran Anti-Malware scan.<br />Found this.
Installed Wine.
Ran Anti-Malware scan.
Found this.
Screenshot_2017-09-13_11-57-04.png (9.39 KiB) Viewed 4964 times
User avatar
dimesio
Moderator
Moderator
Posts: 13201
Joined: Tue Mar 25, 2008 10:30 pm

Re: Malware (RansomWare) in Wine installation.

Post by dimesio »

What you scanned was the wineprefix, not the Wine installation, and what the scan found was a possibly infected .exe file that is not part of Wine, but something you installed with Wine. I say possibly, because it could be a false positive, but I wouldn't assume that.

My suggestion is to delete that wineprefix, run a scan on all directories your user has write access to, and be more careful in the future what you install with Wine. Wine is not a sandbox and does not protect against malware. https://wiki.winehq.org/FAQ#Is_Wine_mal ... patible.3F
DrewTWeb
Level 1
Level 1
Posts: 5
Joined: Tue Sep 12, 2017 8:59 pm

Re: Malware (RansomWare) in Wine installation.

Post by DrewTWeb »

Below is what I installed..
Then I started Wine.

I installed them by calling them directly, not just "wine*" when installing.

----------------------

Last metadata expiration check performed 1 day, 20:57:10 ago on Tue Sep 12 15:01:02 2017.
Installed Packages
wine.x86_64 1.9.12-1.fc23 @updates
wine-alsa.i686 1.9.12-1.fc23 @updates
wine-alsa.x86_64 1.9.12-1.fc23 @updates
wine-arial-fonts.noarch 1.9.12-1.fc23 @updates
wine-capi.i686 1.9.12-1.fc23 @updates
wine-capi.x86_64 1.9.12-1.fc23 @updates
wine-cms.i686 1.9.12-1.fc23 @updates
wine-cms.x86_64 1.9.12-1.fc23 @updates
wine-common.noarch 1.9.12-1.fc23 @updates
wine-core.i686 1.9.12-1.fc23 @updates
wine-core.x86_64 1.9.12-1.fc23 @updates
wine-courier-fonts.noarch 1.9.12-1.fc23 @updates
wine-desktop.noarch 1.9.12-1.fc23 @updates
wine-docs.noarch 1.4-6.fc23 @fedora
wine-filesystem.noarch 1.9.12-1.fc23 @updates
wine-fixedsys-fonts.noarch 1.9.12-1.fc23 @updates
wine-fonts.noarch 1.9.12-1.fc23 @updates
wine-ldap.i686 1.9.12-1.fc23 @updates
wine-ldap.x86_64 1.9.12-1.fc23 @updates
wine-marlett-fonts.noarch 1.9.12-1.fc23 @updates
wine-mono.noarch 4.6.3-1.fc23 @updates
wine-ms-sans-serif-fonts.noarch 1.9.12-1.fc23 @updates
wine-openal.i686 1.9.12-1.fc23 @updates
wine-openal.x86_64 1.9.12-1.fc23 @updates
wine-opencl.i686 1.9.12-1.fc23 @updates
wine-opencl.x86_64 1.9.12-1.fc23 @updates
wine-pulseaudio.i686 1.9.12-1.fc23 @updates
wine-pulseaudio.x86_64 1.9.12-1.fc23 @updates
wine-small-fonts.noarch 1.9.12-1.fc23 @updates
wine-symbol-fonts.noarch 1.9.12-1.fc23 @updates
wine-system-fonts.noarch 1.9.12-1.fc23 @updates
wine-systemd.noarch 1.9.12-1.fc23 @updates
wine-tahoma-fonts.noarch 1.9.12-1.fc23 @updates
wine-tahoma-fonts-system.noarch 1.9.12-1.fc23 @updates
wine-times-new-roman-fonts.noarch 1.9.12-1.fc23 @updates
wine-twain.i686 1.9.12-1.fc23 @updates
wine-twain.x86_64 1.9.12-1.fc23 @updates
wine-wingdings-fonts.noarch 1.9.12-1.fc23 @updates
wine-wingdings-fonts-system.noarch 1.9.12-1.fc23 @updates
Available Packages
wine.i686 1.9.12-1.fc23 updates
wine-devel.i686 1.9.12-1.fc23 updates
wine-devel.x86_64 1.9.12-1.fc23 updates
wine-times-new-roman-fonts-system.noarch 1.9.12-1.fc23 updates
winetricks.noarch 20161005-2.fc23 updates
DrewTWeb
Level 1
Level 1
Posts: 5
Joined: Tue Sep 12, 2017 8:59 pm

Re: Malware (RansomWare) in Wine installation.

Post by DrewTWeb »

I moved the .wine directory, and ran the config tool to generate it AGAIN, and this time it did NOT install the PDF_Reader.

I recommend that this be looked into as to why it is there on original install/configuration, but not there afterwards.

It seems there is something amiss with it.
DrewTWeb
Level 1
Level 1
Posts: 5
Joined: Tue Sep 12, 2017 8:59 pm

Re: Malware (RansomWare) in Wine installation.

Post by DrewTWeb »

dimesio wrote:My suggestion is to delete that wineprefix, run a scan on all directories your user has write access to, and be more careful in the future what you install with Wine. Wine is not a sandbox and does not protect against malware. https://wiki.winehq.org/FAQ#Is_Wine_mal ... patible.3F
Order of the things I did.

1. Install Wine and all wind x64 things including fonts via DNF/YUM using certified repositories.
2. Ran winecfg.
3. Ran anti-malware check.
4. Registered on forum and notified you with screenshot.
User avatar
dimesio
Moderator
Moderator
Posts: 13201
Joined: Tue Mar 25, 2008 10:30 pm

Re: Malware (RansomWare) in Wine installation.

Post by dimesio »

DrewTWeb wrote:I moved the .wine directory, and ran the config tool to generate it AGAIN, and this time it did NOT install the PDF_Reader.

I recommend that this be looked into as to why it is there on original install/configuration, but not there afterwards.

It seems there is something amiss with it.
From what you've posted, you've been using the Fedora distro Wine packages, not the WineHQ ones, so if you really think something was wrong with those packages, report it to Fedora.

However, I doubt Fedora included a Windows executable in their Wine packages, and the fact that a clean wineprefix from the same packages does not have that file bears that out. Either you installed PDF_Reader and forgot, or someone else with access to that system installed it and didn't tell you, or possibly you or someone else accessed a malicious website or email that installed it behind your back. Those are not Wine issues. Any investigating needs to be done by you.
DrewTWeb
Level 1
Level 1
Posts: 5
Joined: Tue Sep 12, 2017 8:59 pm

Re: Malware (RansomWare) in Wine installation.

Post by DrewTWeb »

Okay, so it is actually Fedora, not WineHQ. That makes a world of difference, because it means that they alter your packages to not be legitimate. I recommend that you warn everyone that uses WINE to let them know about this.

And no, I didn't install anything after. All I did was exactly what I said I did.

It took 20 minutes. and I was sitting right here infront of the PC. No-one else did anything.

dimesio wrote:From what you've posted, you've been using the Fedora distro Wine packages, not the WineHQ ones, so if you really think something was wrong with those packages, report it to Fedora.

However, I doubt Fedora included a Windows executable in their Wine packages, and the fact that a clean wineprefix from the same packages does not have that file bears that out. Either you installed PDF_Reader and forgot, or someone else with access to that system installed it and didn't tell you, or possibly you or someone else accessed a malicious website or email that installed it behind your back. Those are not Wine issues. Any investigating needs to be done by you.
User avatar
dimesio
Moderator
Moderator
Posts: 13201
Joined: Tue Mar 25, 2008 10:30 pm

Re: Malware (RansomWare) in Wine installation.

Post by dimesio »

You've provided no evidence that the Fedora packages are at fault; as I said, the fact that a clean wineprefix created by the same packages does not contain that file indicates that those packages are not at fault. We also have many Fedora users, and no one else has reported this. So no, I am not going to start warning people against imaginary malware in Fedora packages.

As to how it got on your system, are you sure this wasn't a leftover wineprefix from a previous install? Uninstalling/reinstalling Wine does not remove wineprefixes and if you had installed that software previously it would still be there. But if that's not it, then I have no idea how it happened. That is something you should investigate.
User avatar
SquareAperture
Level 2
Level 2
Posts: 28
Joined: Sat Sep 02, 2017 12:30 am

There's NO Malware in Fedora nor wine! Cut that out!

Post by SquareAperture »

Hey Drew.

Dude. Please. Enough. Don't spread such disinformation. Someone might believe you. And please don't email Fedora Tech Support. Those people put up with enough and we love them.

What you are implying borders on impossible.
("very very very freakin' unlikely" would be the technical term.)

Look - either you're a troll and troublemaker, or you truly believe this is what happened.
I'll take you at face value and assume you believe it.

So I'm sorry you feel so angry scared and whatever else, and I'm glad you're the kind of person who really wants to know, to hunt it down, to file any and all reports with those who will listen. That part is great, thank you!

But you are wrong and looking in the wrong location.

There's no need for me to cover it. PLEASE re-read dimesio's posts again. And again. And keep going until it sinks in.

While we're talking, let's cover why your listed packages are F23? Even F24 is past it's end-of-life support. You really should upgrade. Your system hasn't had any updates, security or otherwise, since before christmas '16 - almost a year. F27 comes out in about exactly one month, but you probably shouldn't wait, all things considered.

If you are going to persist that it came from the packages you installed, check them. There is a cache directory they were downloaded into, and if you didn't erase them and depending on your settings, they're still there. /var/cache/dnf. To list the files in an uninstalled RPM, use: rpm -qpl <package-name>. You will notice there's alot of subdirectories here, but you can check them all at once easily: find . -iname \*rpm -exec rpm -qpl {} \; | grep -i exe$ - this will show you any file ending in exe in all the RPMs/DRPMs in the entire tree. Or hey, maybe you want to check the entire Fedora repository? Great. There is a verb in dnf called 'provides' and will tell you where any file on your system came from. ie: if you typed dnf provides */alsa-info.sh it will find every copy of alsa-info.sh on your system and tell you the package name and repository that it came from. And finally, if you want to check every single installed package on your system (that the rpmdb knows about, anyway), you can enter this: rpm -qa | xargs -n 1 rpm -ql | grep -i com7.exe.

We know none of those things will return anything, but here's hoping you come to that conclusion too. And then when you finally agree, maybe you will look at your browser cache under .wine, or any windows downloads you extracted/executed under wine, etc. as sources of your troubles. Because you're wasting a lot of effort thinking it came from Fedora.

In fact let me give you another find command, run this in your home directory or your downloads... it'll look inside every .zip file and tell you if it finds that exact file: find . -iname \*zip -exec unzip -v {} \; | grep -i com7.exe. I hope it doesn't, but it's much more likely to find it on your system than in a Fedora supplied archive.

Good luck!

And if, on the other hand, you are a troll and troublemaker - ooh you got me!
User avatar
SquareAperture
Level 2
Level 2
Posts: 28
Joined: Sat Sep 02, 2017 12:30 am

Re: Malware (RansomWare) in Wine installation.

Post by SquareAperture »

!! Talk about timing: Didn't happen to install CCleaner did you?
CCleaner: Company distributes official release laden with malware
Locked