TLDR: the wine-staging package may contain malware (Win.Packed.Razy-9879251-0). I’ve no idea what the malware is or how it got there and could use some help figuring that out.
A recent update to the clamav virus database (17-7-2021) contained a pattern for Win.Packed.Razy-9879251-0. I ran a scan on my home directory and found the trojan in these files:
^^ The files come from Lutris which provides multiple different versions of the wine binaries.
Just in case I scanned my root folder including /usr and found the malware in the following files:
/usr/lib/wine/x86_64-windows/wineps.drv
/usr/lib32/wine/i386-windows/wineps.drv
/usr/lib/wine/x86_64-windows/regsvr32.exe
/usr/lib32/wine/i386-windows/regsvr32.exe
^^ That suggests to me that the Malware is in the wine-staging package supplied through pacman/pamac. I honestly have no idea where the malware came from in the first place though so please take that with a pinch of salt.
I’ve removed these files and done repeated scans which now turn out negative.
My issue is I have no idea whether Win.Packed.Razy-9879251-0 affects Linux at all, how it would behave or what to look out for to check that my system is no longer infected. I’ve tried searching for it but only found windows tips in search results.
Could anyone please help me?
Cheers!
P.S. Apologies if this post is in the wrong section or tagged incorrectly. This is my first ever post here. Please let me know how best to re-tag the topic and I’ll move it.
Wine binaries are known to trigger false positives with various anti-virus products, and having seen this same sort of thing before myself, my first guess is that this is yet another.
If you can recreate the files, I suggest uploading them to VirusTotal and Hybrid-Analysis, to get a better idea of their nature and to see what other AV products think of them.
I followed your advice and tried to re-create the files by re-installing wine-staging using pacman.
It reported warnings for 9 files, all of which were caught by clamav:
Pacman output
[me@me ~]$ sudo pacman -S wine-staging
warning: wine-staging-6.12.1-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...
Packages (1) wine-staging-6.12.1-1
Total Installed Size: 464.68 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n] Y
:: Retrieving packages...
wine-staging-6.12.1-1-x86_64 is up to date
(1/1) checking keys in keyring [######################] 100%
(1/1) checking package integrity [######################] 100%
(1/1) loading package files [######################] 100%
(1/1) checking for file conflicts [######################] 100%
(1/1) checking available disk space [######################] 100%
warning: could not get file information for usr/lib32/wine/i386-windows/krnl386.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/mmsystem.dll16
warning: could not get file information for usr/lib32/wine/i386-windows/regedit.exe
warning: could not get file information for usr/lib32/wine/i386-windows/rundll.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/system.drv16
warning: could not get file information for usr/lib32/wine/i386-windows/wineps16.drv16
warning: could not get file information for usr/lib32/wine/i386-windows/wing.dll16
warning: could not get file information for usr/lib32/wine/i386-windows/winhelp.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/winoldap.mod16
:: Processing package changes...
(1/1) reinstalling wine-staging [######################] 100%
:: Running post-transaction hooks...
(1/5) Registering binary formats...
(2/5) Arming ConditionNeedsUpdate...
(3/5) Updating fontconfig cache...
(4/5) Updating 32-bit fontconfig cache...
(5/5) Updating the desktop file MIME type cache...
CLAMAV output
/usr/lib32/wine/i386-windows/krnl386.exe16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/krnl386.exe16: moved to '/home/me/infected/krnl386.exe16'
/usr/lib32/wine/i386-windows/mmsystem.dll16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/mmsystem.dll16: moved to '/home/me/infected/mmsystem.dll16'
/usr/lib32/wine/i386-windows/rundll.exe16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/rundll.exe16: moved to '/home/me/infected/rundll.exe16'
/usr/lib32/wine/i386-windows/regedit.exe: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/regedit.exe: moved to '/home/me/infected/regedit.exe'
/usr/lib32/wine/i386-windows/system.drv16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/system.drv16: moved to '/home/me/infected/system.drv16'
/usr/lib32/wine/i386-windows/wineps16.drv16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/wineps16.drv16: moved to '/home/me/infected/wineps16.drv16'
/usr/lib32/wine/i386-windows/winhelp.exe16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/winhelp.exe16: moved to '/home/me/infected/winhelp.exe16'
/usr/lib32/wine/i386-windows/wing.dll16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/wing.dll16: moved to '/home/me/infected/wing.dll16'
/usr/lib32/wine/i386-windows/winoldap.mod16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/winoldap.mod16: moved to '/home/me/infected/winoldap.mod16'
Hybrid-analysis was fine with almost all of the files except for regedit.exe which succeeded on the Crowdstrike Falcon test but not the Meta Defender test with these results.
Gen:Variant.Razy.884857 (B) is a new one I’ve not seen before. Does anyone know if and how this would affect Linux machines?
I’m also a bit worried because it’s a completely new set of files.