Running Windows Viruses Under Linux

ResQuad writes "Everyone loves Windows viruses, right? Well, the crazy people over at NewsForge (owned by the same people that own Slashdot) decided to try running Windows viruses with Wine. So next time you receive an email virus, strike up Wine and see what you can do (or not)."

That's awhole lot of differences

[Dark+Coder]

True AV and AT (anti-trojan) SW engineers uses VMWARE for their studies and dissemination of malacious flotsam of codes floating around the internet.

But the article is "A Good Thing" because it shows EITHER that Wine isn't 100% Microcrap or is more robust against viruses.

Take your pick.

Done it. It works. Kinda.

[Frater+219]

This past December, one of the engineers at my workplace gave a presentation on WINE. Since I'm the security guy, somone asked me if Windows viruses ran under WINE. So I tried three: Lovgate, a Mydoom variant, and a Netsky variant.

Lovgate simply exited without doing anything. Mydoom actually crashed WINE into its debugger. The Netsky variant, as the article describes (SomeFool is Netsky) actually ran. Moreover, it did a passel of DNS queries and actually tried to send e-mail (which was rejected). So, if that e-mail had been accepted, Netsky would have been able to propagate under WINE. As in the article, Ctrl-C proved necessary and effective.

To make a long story short, yes, some Windows viruses do run under WINE. Of course, you have to tell WINE to run them -- not exactly the social engineering that viruses are intended to do. However, as WINE gets more popular and reliable, I would expect that this will be more of a problem for people who choose to (e.g.) run Outlook in WINE.

(For what it's worth, WINE isn't the only way to run Windows viruses and worms on your non-Windows system. I've had to explain to users that yes, their VMware or Virtual PC system is quite capable of getting wormed, and that yes, they did need to do their Windows Update on that "virtual" Windows system, too.)

Re:Done it. It works. Kinda.

[kevcol]

Not 'kinda' here.

Propogated.

I executed a viral attachment once about 4 months ago, and then forgot about it ("Haha! That can't possibly work."). A couple hours later, my 'abuse' address had a complaint. Source IP was my SuSE workstation. Thunderbird even deep-sixed a spam that was sent by my own machine to me. D'oh!

Re:Native ports now!

[morcheeba]

I used to work for a 5-person company. We easily ported our main ap to linux, but a critical tool we used to build our code was developed for windows. It was gui-centric, so a port would be difficult, and besides, all the programmers were algorithm people, not gui people. Wine was a godsend - our old tool just worked, and it saved us a lot of time. Boycotting ourselves wouldn't have gotten us the needed people to port it.

Wine devs test for this

[bluGill]

At the last WineConf (almost exactly one year ago) some of the Wine developers were testing the hot mail virus of the day to make sure it ran. That was the one that activated as a DDoS on www.sco.com. It ran, and after putting making www.sco.com resolve to 127.0.0.1 in /etc/hosts it attempted to take down the local machine.

We also found the back door, and came close to getting arbitrary programs to run from it, but supper came before we got that part working. We think it would have worked if a free meal hadn't gotten in the way.

So now you know. If a windows virus doesn't run under wine you can thank CodeWeavers for buying everyone a meal before we got it implimented.

The Sound of One Hand Clapping

[4of12]

So, if WINE fails to properly run a Windows virus under Linux, is it considered a bug or a feature?