SirCam on Linux via WINE

illusion_2K writes "Another monumental step forward for Linux - the SirCam virus now works on Linux via WINE. ("With a few ommissions")" Allright I had to post it. Thats damn funny. We can emulate worms if we want to!

When?

[flikx]

When will I be able to enjoy being infected by outlook viruses under FreeBSD? People will think I'm weird if I don't send along personal documents.

Now let's fix it

[GrouchoMarx]

Cool! Now for a real coup, alter WINE so that it doesn't have all these vulnerabilities. (Should be reasonably straight-forward, just put proper checks in to keep VB scripts from accessing certain parts of the system.) I can see the marketing now: "Runs all Windows programs, except the viruses!" "It's Windows, but safer." "Virii? We don't run no steenkin virii!"

Re:Why is this important?

[1010011010]

Seriously... whats up with this?

Humor. H-U-M-O-R.

"Haha, Linux has to run Windows viruses under emulation, otherwise it wouldn't have any."

Re:Heh...

[Dwonis]

Boot time. IIS "reboots" much faster under under WINE than under Windows.

The major barrier to virii...

[gusnz]

Now, all we need is an Outlook user simulator package that automatically opens executable attachments if it's asked for advice :)

If I see another moron use "virii"...

...I will kick his or her ass. The proper plural for "virus" is "viruses". "Viri" and "virii" just make you look stupid. Please read this informative article for background information. Thank you.

Re:If I see another moron use "virii"...

[Tony-A]

No, the plural of virus is Microsoft.

Not Quite

[Jerry]

While I noticed that SirCam infected email did fire my Wine program the results were a dud. The effect was that SirCam was exposed but not functional, and I was able to explore it's code without fear. There were no registries to infect, no exchange list to exploit, and the "hidden" trojans were easily seen and removed.

SirCam it totally harmless on Linux under Wine.

Re:Not Quite

[rtaylor]

Sircam is completely harmless on Windows too -- until you let the users get involved who run the damn thing.

as long as there are bored people in the world...

[BlueboyX]

As long as there are bored people in the world, there is hope. Granted, emulating virii isnt exactly helpfull, but if we have enough time and energy to do things like this, stuff that really is helpfull will continue.

Well, I guess this project was good for a laugh. That always helps. :>

[W]ine [I]s [N]ot an [E]mulator

[Puk]

I bet this comes up with every wine post, but according to the name, the sourceforge page, and one of the the FAQ answers, WINE is not an emulator. Much like GNU is not UNIX. :)

-Puk

Re:[W]ine [I]s [N]ot an [E]mulator

[mother_superius]

It is also well-known as WINdows Emulator.

Re:[W]ine [I]s [N]ot an [E]mulator

[Cloud+K]

True, true. But stop being so picky!

Which would you rather say...
"We can emulate Windows viruses if we want to"
or
"We can use a program that implements the Windows API on top of X and UNIX (although GNU is not UNIX, so we're implementing it under GNU/Linux really) to run a Windows based virus"

Personally I'm willing to sacrifice being 100% accurate and correct in a case like this :)

Re:[W]ine [I]s [N]ot an [E]mulator

[Puk]

Fair enough -- you've got a good point. We should be able to come up with something more concise than that thing, though. :) How about "now Linux can suck as much as Windows" or "now we can run those superior Windows worms"?

"You have been hit by the UNIX virus! It works on the honor system. Please forward this message to everyone you know and delete a bunch of your files at random."

Ah, what the hell, it's fine as it is. ;)

-Puk

Dude..you don't understand...

[S1mon_Jester]

Up to now...Windows advocates have been complaining that Linux just doesn't have the power of Windows. Listen to this Windows advocate:

Well, um...like Linux is weak. It don't get those Windows viruses at all. Damn, if it can't do that, why should I be a-using it? My operating system has to be corruptiblable, ya know?

Now...finally, we have something to show them! That SirCam CAN affect Linux (in emulation mode at least).

Re:Dude..you don't understand...

[verbatim]

I don't /care/ what lusers think. In fact, most users should be using whatever does what they need it to do (be it Windows, Linux, BeOS, whatever).

Quite frankly I am fucking tired of people trying to be the next Microsoft. Redhat, Caldera, Corel, whatever... and it's not even about the money. Look at distributions like Slackware...

Get it through your heads - there doesn't have to be one cure-all operating system that everyone has to use in order to be 'uber-l33t'.

Business doesn't give a rats ass about technical specs, as long as the total system is a benefit to the company.

On another forum, a few minutes ago, someone asked about setting up a small mail server (maybe 20 users or so). The typical smart-ass answer of "install linux with sendmail/postfix/intermail/whatever" came across. The guy said he needed it done ASAP and would rather just do it on NT. Is there anything wrong with doing that? Umm.. no.

My original point (which has been moderated into oblivion, as I assume this will be too) is that it doesn't make ANY rational sense to be trying to get a MALICIOUS program running on your system.

Public opinion means jack shit if it doesn't work the way it is supposed to. As long as it works, is reliable, and is (relativly speaking) easy to maintain, who cares what makes it go.

Yeah, this article reeks of "*hyuck* *hyuck* look what I can do"...

Bah.

GPL

[Laser+Lou]

That's great. I suppose the next step now is to get the GPL "Virus" to work on Windows.

Great

[LazyDawg]

Now even Linux users can enjoy the benefits of the Microsoft Virus Infection Layer in their otherwise high quality operating system.

This is a big step for Linux's acceptance as a Desktop operating system. We NEED more clueless newbies out there using Linux and saying "fuckit, I think there's a virus on your/my system. Time to reinstall KDE."

In a few months even Outlook will be available to Linux/Wine users, so too will be the full Universal Virus Infection suite of tools from Microsoft.

My only question is, how much longer until we have kernel-level support for VBA and Microsoft Scripting?

Sue them?

[aozilla]

I just wonder, all those people who advocate suing Microsoft for the SirCam virus, should we now sue the makers of WINE as well?

Makes perfect sense to me...

[Ungrounded+Lightning]

My original point (which has been moderated into oblivion, as I assume this will be too) is that it doesn't make ANY rational sense to be trying to get a MALICIOUS program running on your system.

It makes perfect sense to me, with a couple of changes of emphasis.

It makes sense, when writing an emulator/compatability layer, to TEST whether a malicious program will run, for two reasons:

Discovering whether the emulation is close enough that the emulator is also vulnerable to the malicious software.

Discovering whether the malicious software fails because it depends on a feature - necessary for some NON-malicious programs - which is not correctly emulated. (A malicious program may use a little-known or undocumented "feature" - perhaps one that's been keeping some popular apps from working correctly.)

But beyond debugging the emulation there are additional reasons:

Running the malicious program in the (open-source) emulation environment may provide additional insight into its operation, leading to better defenses, both for the emulation and the original environment.

It's FUNNY!

That's four separate reasons that this makes sense.

Done that..

[sakusha]

This has been a known problem for years amongst Mac emulator users. Virtual PC and other emus are suceptible to viruses just like on a native PC. I just run standard PC antivirus tools.

One of the advantages of using Mac PC emulation, I can just make a backup copy of my PC volume, save that state, if I have a Windows problem I just ditch the corrupted volume and use the backup.

Re:Done that..

[Webmonger]

That's cool, but what you describe sounds like making a disk image, which can also be done natively on Windows boxes. The tool I know is Norton Ghost. And of course, there's always Gnu dd. . .

We can emulate worms if we want to!

[Nailer]

Why emulate when Linux already has such a wide selection to choose from?

* L10n

* Adore

* Ramen

* Sadmind

* Cheese

They'll run faster and fully featured natively.

Re:We can emulate worms if we want to!

[nchip]

* Sadmind

Except that Sadmind is a solaris / NT worm, not a Linux worm. Please study the facts before posting.

sadmind/IIS details

Emulating bugs

[os2fan]

One of the things about Win-OS/2 was that it was bug for bug compatible with Windows, even down to emulating the 3.11-3.10=0.00 bug in the calculator.

The sad thing about Windows bugs is that you don't need to go to the back door to do damage. There's enough to be seen to do it through the front door now.

Maybe SirCam did not work because when the damage was passed down to the underlying OS, Linux did not want to play ball: and isn't that WHY we run emulators.... :)

To all you sanctimonious Linux users...

[Robber+Baron]

To all you sanctimonious Linux users who used to sneer at "dumb windows users" who allow virii into their systems, I have this to say:

Pfffffffffffffffffftttttttttttttttttt!

Re:Low Tech Linux Virus (DO NOT READ)

[knorthern+knight]

You have just received VERSION 2 of a low tech virus via http.

Since we're not so technologically advanced in Linux this is a MANUAL virus.

Please forward this in e-mail to everyone you know
*AND THEN* delete all files on your hard disk yourself.

That's better.

Re:Yeah but I can't get AOL 6 running

[shyster]

It loads [win2k AOL 6] but it doesn't connect.

Well, I guess that's the next virus WINE developers need to work on. It is, after all, the most popular Windows virus.

what to reply to a dork who sends you sircam

[zyqqh]

here's my form letter for replying to addresses i get sircam clones from:

+++
Subject: advice

Hi! How are you?

I send you this advice in order to not have your files

See you later. Thanks
+++
Attachment (named advice.txt.bat):

@echo off

echo Your computer is infected with the "sircam" virus, and has been
echo repeatedly emailing addresses on hkn.eecs.berkeley.edu
echo with large attachments. Please clean up the virus ASAP.
echo You can find more information on how to do this at:
echo http://www.sarc.com/avcenter/venc/data/w32.sircam. worm@mm.html

:Loop
goto Loop

Linux = saved money = power for the people

[os2fan]

It's nice that MS did denote 10 millions here and there. Makes good publicity, doesn't it. If you really want to be a patriot, you could use open source and denote $100 to the cause, rather than give someone else the money and let them donate it under their name.

How much did they give to underwrite airline insurance premiums that suddenly went up for this, which is where some of my taxes went to.

How much did they give to victims of failed companies.

No, MS donating money makes them look like goodies, and they donate it where it gives them an advantage. I mean, it's a fairly cheap ad for them: Yes, we are giving half an hour's profit, look at how good we are. Don't hurt us...

money for MS = protect monopoly
free Linux = money for people to spend.
Linux = saved money = power for the people

Re:Linux = saved money = power for the people

[os2fan]

>he was a OS/2 freak.

Yeah, I was too. Still am. OS/2 did not have that stupid 504MB limit when Windows and DOS did. So I can see 2G of hard drive under OS/2 and 2 * 504 under Windows. Yeah, OS/2 crashes, it has bugs. I've seen its Black Screen. I've completely trashed it. But it is still way better than windows. The current OS/2 is still better than the current Windows.

> win3.1 came about the time of os/2

OS/2 had a lot more in it than Windows and DOS did. You forget that among the 28 disks was 10 for the inbuilt DOS/Windows emulator. Numbers of disks do not dictate usability in any case. It was at that time that most people did not have cdrom drives.

The latest version of OS/2 installs from an OS/2 session. In essence, you boot from the CDROM, and it loads a full GUI, where you can do things as if it were from the hard disk. One of the applications is to install it. Now THAT's user friendly. Link, you're not grubbing around with a command line interface and no gui.

> PC's got accepted in the house because you could play cool games on them. At the time (1992) we had typically 4MB ram, and Windows would gobble 2 of them. So you played under DOS. But then you start games from a DOS character menu.

>I agree, so what was your answer? Lemme guess, all MS right?

My current shop is MS. My former one was OS/2 server and PC-DOS stations.

>..., but happy for MS to send the same amount...

This is the same company that sent the lawyers around onto charities that were recycling PC's to underprivledged kids. Hmmm.

>>The other thing is that MS has been getting some very BAD publicity in relation to WTC. You see, the FlightSim is a fairly accurate representation of many cities, and provides a fairly easy way to learn your way around the skylines of a city. This point has not been lost on Sky TV.

Have not found a link for this: I saw it on the television.

>I mean jeesh Dos can't read HPFS.

Actually, you can load a driver for it, and read and write to it. Installable file systems started with DOS 4. It got a bad name because it took up a megabyte of ram when computers typically came with just 4 MB. NTFS is based on HPFS.

The sad thing is, to do anything useful with a Windows computer, you have to do it from DOS, and load NTFS drivers from there. Try Here for the goss. I can boot OS/2 with the proper drivers from floppy disks: this point is lost on most MS users.

>Again I go back to my point of a single vendor for all your products.

So why not Aptiva PC + OS/2 + Lotus Smartsuite, all from IBM :), or Sun box. Having all the products from the same user is not going to make users use style sheets, and not press return at the end of the line.

MS has no incentives to fix bugs unless they get bad publicity. The calculator thing from Win 3,0 was not fixed until Wall Street Journal ran a story on it. The bugs documented in the Tech data base from NT 3,1 still bug me under win 2K. But they now put some sort of web browser on it, which is pretty stupid if there's no wire to the net, or the thing's a server.

The real reason that people leave the single vendor option is that they're too expensive. Apple Macs never got a big share of the market because they were too expensive, and it was only that Compaq cloned the IBM BIOS that made the PC market competitive. The MS office suite is way overpriced compared to its competitors, but because they offer it as a cheap OEM option, things change. But I have seen Word and Excel trash documents beyond belief. And because the format is secret, it is not recoverable by anyone.

The same people who make this, I presume will willingly pay more for genuine Ford/GM parts for their car too ...

>I did what I could. You really gotta quit makin personal presumtions about me and just stick to the debate OK?

Not you in particular. No, the big trouble since the seventies is this culture that the big boys will look after the big things in town. I mean, we don't have the culture that spawned greenpeace or the nuclear disarmemant any more. About the only things going for people involvement are TeamOS/2 and Linux

But the thing is you have to stop beating MS's drum. Sure they gave 10 million. And you going around saying this is giving them free publicity. Yes, MS waves the flag: look, aren't they good. It's 5 million in cash and 5 million in tech. I suppose that 5 mill is in street prices, not what they get. I mean, I could give out licences of my product, and say I am denating it at street prices.

The actions of MS deserves to be viewed with healthy cynicism.

>When I do my /. posts if i'm including links i'll use frontpage

I just type the mark up direct: {a href="url"}linkword{/a}. But then, I type most formatting and styling as I go. For this, Amipro had an intellegent use of the function keys as separate styles: F2-F9, F11, F12 were all different style keys, defined in the style sheet. Bold and Italics via ^B and ^I.

Re:Linux = saved money = power for the people

[os2fan]

I know - It kept me in a job too. :)

But then I had to spend a week playing around with sectors on my home machine trying to recover the root directory, because Windows 95 thought it wasn't needed. Oh well.

You see, most of my time has been spent as a user, not an administrator. You can't reinstall data.

The other thing I find amusing, is that these people who push MS products preach about the latest hot fix, without realising that they're as old as the hills, even on the PC.

I mean, 4DOS has command line completion, popup directory history, command history, aliases &c since 1992. You can get some faulty file-name completion in Windows NT if you fiddle around in the registry. The reason that OS/2 users go on about their system is because it DOES so much more than Windows. And between DOS, Windows, OS/2 and Unix/Linux, and Mac there are whole different gardens of ideas growing. Keep it that way, and preserve and respect the differences.

Re:Linux = saved money = power for the people

[os2fan]

>95/98/me was dosshell.com renamed into win.exe. dosshell was a stripped down version of win1.0 (remember the neat little 8086 add on card they gave you with that?) Dosshell is a enhanced mode version 3.0, actually. Win.com is just a loader for the Windows operating system. It picks the correct extender and kernel. The bulk of widows lives in WIN386.EXE, or DOSX.EXE. DOSX also comes with DOSSHELL. WIN386 fills the role of IO.SYS for Windows - loads the VxDs and then the shell. The one program that WIN386 was intended to run was KRNL386.EXE, which then loads the rest of Windows.

The base of Windows was intended to be a 32-bit DOS, with WIN386.EXE being DOS386.EXE. You can run command.com as krnl386.exe. In Windows 3.1, you can have a batch WINSTART.BAT. Make up a batch with the one line "command". This will start what is essentially a 32-bit DOS. If you run Win.com under this, you see some interesting messages :) Check out Shauram's "Undocumented DOS" >Anyways NT is how MS does things right. VMS blows Dos, away. Remember, dos had that little 640k thing, VMS didn't. 3.51 was ok, 4.0 was a bit better. 2k was done right sans the recent wave of IIS exploits.

It's actually OS/2, right down to the hacked file system. It was originally meant to be called NT OS/2. The NT3.x boot sector was in fact the OS/2 1.3 boot sector, and the inbuilt OS/2 support, unlike the DOS support, in the main, bypasses the Win32 layer and goes down to the kernel. Have you wondered why, when MS was so villiating OS/2 in 1995, that NT should support OS/2 16-bit applications, even today.

So in reality, vers 3 of NT was vers 3. Version 1 and 2 were under the MS-OS/2 banner, which is referred to in the NT help system.

>WordPerfect is good, but not as good as Office2k.

Word perfect at the time was better than Word at that time. It was designed to work the way that office secretaries did. It was fast and clean on the limited word processors, and the version back then had a lot more grunt that the latest version of word has now. I mean, WP had spreadsheet functions in its tables. But MS's white-box placing of Word onto OEM pc's did a lot to kill the competitiveness of the other systems.

>I've seen a lot of open source projects go through 2 or 3 revisions, then they get dropped before they could even be considered a stable alpha.

It's just a matter of prospective, really. A stable alpha open-source thing is more stable than a gamma commercial release. The 32 bit file access in Windows 3.11 is alpha code. The reply for it was if it does not work, turn it off.

>MS is cool, that wouldnt happen to be a IE browser you're using would it :P Yes, it is. But it's not my machine. it's more that MS has fixed sites so you can't get there unless you have IE.

>It's not MS's fault big blue stuck with their normal mentality of "we're big blue and invincable"

Big Blue lost an anti-trust case as well, and their behaviour since then has been strangled by the imposed conditions. The lessons of this and AT&T are guiding the MS remedy, actually.

MS owes their existance to some Judge telling Big Blue to outsource. They got the operating system contract for the PC. IBM were going to control the BIOS inhouse, but Compaq put paid to that. The rest is history.

Re:Linux = saved money = power for the people

[os2fan]

It's OK with the two replies. Thanks for the songs. But I have never been one to wave the flag in front of the troops: I leave that for the boys.

Democracy flourishes because people choose to disagree. That you and I continue to hold our own divers views, and not come to blows over it is what democracy is all about. That we hold our views strongly means that we care for our views, however different, and that's important, too.

Yes, it has been nice debating with you, and I hope you find something that will keep you in money. Loosing one's job is fretting, I have done it many times myself.

So be happy, and hope the sun smiles on you.

Another historic milestone

[dsplat]

I can't believe that no one has posted a reference to the Jargon File entry for the bug-compatibility standard that WINE has now met:

bug-compatible adj.

[common] Said of a design or revision that has been badly compromised by a requirement to be compatible with fossil s or misfeature s in other programs or (esp.) previous releases of itself. "MS-DOS 2.0 used \ as a path separator to be bug-compatible with some cretin's choice of / as an option character in 1.0."

Re:Article about Linux and Nimda/RedCode in spanis

[unitron]

"The article are in spanish..."

That's alright, so are some of the Sircam emails that I get.

Whines new slogan

[panic911]

"so good, it can emulate windows worms flawlessly"

I don't know if I should be impressed or flabbergasted :p.

Linux Virii and Secure/Intelligent Computing

[doorbot.com]

I think we can agree that most Linux users are "intelligent" computer users, ones who like to get the most out of their computers, and ones who have extensive experience using those computers and various applications (under whatever OS).

Can we therefore also agree that Linux users practice more intelligent computing, and if there was a Linux virus that went around hosing installs, most Linux users would not get it because at the least they would know to not open any old attachment and run it?

Granted, many people don't know how to (or that they should) secure their systems, and some even login routinely as root. (!)

But are Linux users less prone to email-born worms/viruses?

I would argue that they are. Personally, I do not run virus scanning software at all. Not on my Mac (haven't for years and years), not on my Linux box, and not on my Windows 2000 Pro machines. Instead, I practice safe computing.

On Windows, that involves disabling VB scripting, locking down various portions of Outlook and IE, and installing the latest patches (SR1/2 for Office, IE updates, etc).

I'm not the "average" user but I think that most tech-heads can do this (and therefore Linux guys and gals).

Re:Linux Virii and Secure/Intelligent Computing

[darkonc]

The problem isn't just that windows users are dumb. The problem is that both windows users and windows are dumb. People doing default installs and installing the default patch kits for windows are getting hit with months-old bugs. Microsoft has, by hook or crook, made it non-intuitive for people to get a reasonably secure system set up. Many seem to end up accidently enabling an unpatched IIS that they don't even know is there to be patched.

When I set up Redhat 7.1, on the other hand, the 'medium' security setup was so secure, that I had to do some work to enable sendmail and the web packets through ipchains. I think that this is a far better result for unknowledgable users than the microsoft "just bend over and relax.. nothing's going to happen" attitude

As for people who routinely login as root, they at least have to know enough (on redhat) to turn of the 'annoying' warning about logging in as root. This is kinda like the navy pilot who thought "It'd be a lot easier to land if the turned of the wave off lights" (needless to say, he lost his wings).

A well designed system can do only so much about a dumb user, but we should at least ask for a well designed system.

Emulation for Studying Virus

[EXTomar]

An interesting question could be can WINE be used to study virus like SirCam with a mimizing risk to the computer since its a "virtual" installation? Loosing one of your WINE installations can't nearly be as bad as loosing a real install. If the process goes run away it should be easy to kill it, erase the setup and reinstall.

Worms have run under Wine for a while

[Ed+Avis]

I ran a worm that was going round about a year ago. It displayed the pretty fireworks just fine, but didn't seem to 'infect' anything (unsurprising, since my Wine C:\ drive was empty and I didn't give Wine access to anywhere else). I don't know whether it could successfully send stuff across the network - I unplugged the Ethernet jack first :-).