Hi, Seems like I just got the victim of the first infection of a windows virus on wine :-( . I got infected with some virus called W32.Parite.B.

Unlike most of the biests out there it is a real virus that attaches itself to existing .exe files, not a stand-alone worm. I caught it yesterday on a small private gaming session. I didn't have Warcraft 3 installed, so instead of installing and messing with patches I would have had to download I decided to copy an existing installation over. That seemed to work fine at first :-/

What we noticed pretty fast was that at least 3 windows boxes were infested with a bunch of malware, and trying to infect each other over network shares. The virus alert messages popping up made playing impossible. The obvious solution: Disable the virus scanners.

So with the protection disabled those windows boxes were able to play, everything seemed to work fine. I noticed that something was wrong when my Battlefield 1942 crashed, which worked a few hours before when tested for regression in my new patches. ClamAV showed up a W32.Parite.B infection in bf1942.exe.

That virus wasn't only in bf1942.exe, I found it in the war3 installation I copied over too. Looks like it came from there. I found it in all .exe files on my fake C:\ drive, except of our fake .exe's in C:\windows\system32. Looks like it didn't like those. Next I had a look at my real windows installation mounted in /media/windows, and found it infected too. Well, that was easy to clean up with a mkfs because I didn't have anything valueable in there. Well, the thing that is rather bad is that it infected my downloaded game demos and other files on my home drive. Luckily I didn't have my external hard drive with the rest of my stuff attached when I ran wine.

So I've now deleted my wine installation, windows installation and all .exe files on my disk. I'm scanning my whole linux drives to be sure, but I didn't run wine as root and I'm confident that the Linux file security prevented the worst problems.

To summarize, I got into the trouble mainly because I ignored the basic security guidelines. I ran executables from a really not trustworthy source, knowing that my friends' windows boxes are in a bad shape quite often. My real windows installation got infected because I had it world writeable for no real reason. On the bright side, running as a least priviledged user prevented the worst problems.

If anyone wants to play around with that virus, I kept my infected GenuineCheck.exe :-)

Stefan