installed a program, clamav reports win.trojan.ramnit

[a-sam]

I made a mistake: I installed a windows program in wine that's basically a GUI to bootstrap; the program was called Mobirise. Unfortunately I didn't check it first before installing and running it briefly. When I did check it clamav detected 2 trojans:

/home/myusername/.wine/drive_c/Program Files (x86)/Mobirise/Qt5Core.dll: Win.Trojan.Ramnit-6068 FOUND
/home/myusername/.wine/drive_c/Program Files (x86)/Mobirise/Qt5WebKit.dll: Win.Trojan.Ramnit-6196 FOUND

Does anybody know about Win.Trojan.Ramnit?? and could that conceivably be dangerous to ubuntu 14.4 when installed with wine?? I immediately uninstalled it, deleted the ~/.wine folder, then uninstalled and reinstalled wine with synaptic. But since I had briefly tested Mobirise I freaked!

What chance is there of malware having been installed on my system through that? The install of Mobirise in wine never involved the use of sudo, but I wonder if there's any chance of my normal user having been compromised with a keylogger or some other crap.

And if anybody has specific info on Win.Trojan.Ramnit is and what it's designed to do please tell me!

Thanks in advance for any help, I'm freaked out about this!!

Ubuntu Studio 14.4 Trusty 64 bit

[dimesio]

And if anybody has specific info on Win.Trojan.Ramnit is and what it's designed to do please tell me!

http://lmgtfy.com/?q=win.trojan.ramnit

[a-sam]

I don't know what to say to that. Yeah, I searched a lot. What I was asking was whether anybody has first hand info, not how to do a google search. I thought that was clear when I said "specific info" but maybe it wasn't. So I'll ask it differently:

If anybody has had any experience with ramnit, wine and linux, or if you know enough about ramnit that you'd be able to say what it can do when it's installed in wine, please comment. Thank you a lot in advance.

[a-sam]

Look, I was slightly angry about that "how to google" comment, yes, but that's because I'm kind of freaked out here with this trojan. No bad intentions from my side though, I promise.

What I was trying to do was to get some feedback from people in this forum because I'm sure that many people here know a *lot* more about wine than I do, and may very likely have lots of experience with windows (I have none). Putting those together I was asking for help in this very specific situation where ramnit may (assuming it was not a false positive) have been installed.

To try to understand what I can do to eliminate it short of, well, there is no option of reinstalling the OS because since I didn't use sudo at any time I seriously doubt the OS was damaged. The question was about what potential damage ramnit can do if it infects---if it can infect---an ubuntu home folder, via wine.

And also please, I'm trying to ask whether or not it might have left any malware in my home partition that I should be concerned about, even after I deleted the ~/.wine folder and reinstalled wine.

[dimesio]

And also please, I'm trying to ask whether or not it might have left any malware in my home partition that I should be concerned about, even after I deleted the ~/.wine folder and reinstalled wine.

How on earth would we know? We can't see what's in your home directory. Scan it with ClamAV or some other virus detector.

If you're asking theoretically whether the malware could have written something outside the wineprefix, the answer is yes, of course. Apps running in Wine can do anything your user can do.

[lahmbi5678]

Hi a-sam,
next time please upload the suspicious file to virustotal.

It may very well be a false positive, see
https://www.dropboxforum.com/hc/en-us/c ... Webkit-dll
https://community.spiceworks.com/topic/ ... as-rootkit

[a-sam]

Thanks @lahmbi5678 I discovered virustotal while investigating this. Unfortunately I had already trashed the original exe but I did go the next day to the same url and downloaded it again then checked that with virustotal, which detected no malware. So it does seem likely that it was a false positive. Not guaranteed of course, but likely. Anyway other checks I've done over the last few days (damn this ramnit wasted a lot of hours, whether real or not) tend to indicate that there weren't any changes to any files.

[edit] Thanks a lot. I just checked those links and one of the items flagged in my case by clamav was Qt5Webkit.dll. The other was seemingly closely related (Qt5Core.dll) so I really appreciate your comment.