Hi, I just tried to run some "Malware Checker" just for fun in Wine, just out of interest how many infected files it will find on a fresh .wine setup. Bad security habbit, I know :-| . This app was the "ErrorSafe Scanner" from http://de.errorsafe.com/pages/scanner_de/index.php?aid=fastint_at_de_lng_ed2... Don't blame me for system breakage if you go there ;-)
Well, I ran it in a fresh .wine with my unpriviledged testing user(forgot to remove the Z:\ drive :-( ) . It started without showing anything, and created some autostart registry entries. As it couldn't be killed with Strg+C, I looked at the processes with ps to kill it. Well, I found a lot of "ErrorSafeScannerInstall_de.exe -nag", but also this:
8835 pts/2 S+ 0:00 sh -c ping -w 1 instlog.errorsafe.com >/dev/null 2>/dev/null 8836 pts/2 S+ 0:00 ping -w 1 instlog.errorsafe.com
Well, it also showed a few wininet fixmes: fixme:wininet:InternetCheckConnectionW
Is there something in Wine which executes the Unix shell to run ping, redirecting all output to /dev/null ? Or did this malware know about Wine and Linux, and started the native apps, with the redirection?
Well, I will now do a complete security check on my whole Linux box :-( (That's bad security too, I know, I should flatten the whole system)
BTW, that malware is described here: http://www.symantec.com/avcenter/venc/data/errorsafe.html. This page seems to descibe an older version, as the registry entries were different.
Stefan
8835 pts/2 S+ 0:00 sh -c ping -w 1 instlog.errorsafe.com >/dev/null 2>/dev/null 8836 pts/2 S+ 0:00 ping -w 1 instlog.errorsafe.com
Well, it also showed a few wininet fixmes: fixme:wininet:InternetCheckConnectionW
This was false alarm, as mike_m has spotted these ping calls and the redirection come from wine's wininet, InternetCheckConnectionW in dlls/wininet/internet.c line 2750
-
Stefan Dösinger