Wine-staging possible Malware (Win.Packed.Razy-9879251-0)

Hey there,

TLDR: the wine-staging package may contain malware (Win.Packed.Razy-9879251-0). I’ve no idea what the malware is or how it got there and could use some help figuring that out.

A recent update to the clamav virus database (17-7-2021) contained a pattern for Win.Packed.Razy-9879251-0. I ran a scan on my home directory and found the trojan in these files:

/home//Games/no-mans-sky/drive_c/windows/system32/spool/drivers/w32x86/3/wineps.drv
/home//Games/no-mans-sky/drive_c/windows/syswow64/regsvr32.exe

^^ The files come from Lutris which provides multiple different versions of the wine binaries.

Just in case I scanned my root folder including /usr and found the malware in the following files:
/usr/lib/wine/x86_64-windows/wineps.drv
/usr/lib32/wine/i386-windows/wineps.drv
/usr/lib/wine/x86_64-windows/regsvr32.exe
/usr/lib32/wine/i386-windows/regsvr32.exe

^^ That suggests to me that the Malware is in the wine-staging package supplied through pacman/pamac. I honestly have no idea where the malware came from in the first place though so please take that with a pinch of salt.

I’ve removed these files and done repeated scans which now turn out negative.

My issue is I have no idea whether Win.Packed.Razy-9879251-0 affects Linux at all, how it would behave or what to look out for to check that my system is no longer infected. I’ve tried searching for it but only found windows tips in search results.

Could anyone please help me?

Cheers!

P.S. Apologies if this post is in the wrong section or tagged incorrectly. This is my first ever post here. Please let me know how best to re-tag the topic and I’ll move it.

Wine binaries are known to trigger false positives with various anti-virus products, and having seen this same sort of thing before myself, my first guess is that this is yet another.
If you can recreate the files, I suggest uploading them to VirusTotal and Hybrid-Analysis, to get a better idea of their nature and to see what other AV products think of them.

1 Like

@g90215 Thank you loads for your input.

I followed your advice and tried to re-create the files by re-installing wine-staging using pacman.

It reported warnings for 9 files, all of which were caught by clamav:

Pacman output

[me@me ~]$ sudo pacman -S wine-staging
warning: wine-staging-6.12.1-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) wine-staging-6.12.1-1

Total Installed Size:  464.68 MiB
Net Upgrade Size:        0.00 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages...
 wine-staging-6.12.1-1-x86_64 is up to date
(1/1) checking keys in keyring                     [######################] 100%
(1/1) checking package integrity                   [######################] 100%
(1/1) loading package files                        [######################] 100%
(1/1) checking for file conflicts                  [######################] 100%
(1/1) checking available disk space                [######################] 100%
warning: could not get file information for usr/lib32/wine/i386-windows/krnl386.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/mmsystem.dll16
warning: could not get file information for usr/lib32/wine/i386-windows/regedit.exe
warning: could not get file information for usr/lib32/wine/i386-windows/rundll.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/system.drv16
warning: could not get file information for usr/lib32/wine/i386-windows/wineps16.drv16
warning: could not get file information for usr/lib32/wine/i386-windows/wing.dll16
warning: could not get file information for usr/lib32/wine/i386-windows/winhelp.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/winoldap.mod16
:: Processing package changes...
(1/1) reinstalling wine-staging                    [######################] 100%
:: Running post-transaction hooks...
(1/5) Registering binary formats...
(2/5) Arming ConditionNeedsUpdate...
(3/5) Updating fontconfig cache...
(4/5) Updating 32-bit fontconfig cache...
(5/5) Updating the desktop file MIME type cache...

CLAMAV output

/usr/lib32/wine/i386-windows/krnl386.exe16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/krnl386.exe16: moved to '/home/me/infected/krnl386.exe16'
/usr/lib32/wine/i386-windows/mmsystem.dll16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/mmsystem.dll16: moved to '/home/me/infected/mmsystem.dll16'
/usr/lib32/wine/i386-windows/rundll.exe16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/rundll.exe16: moved to '/home/me/infected/rundll.exe16'
/usr/lib32/wine/i386-windows/regedit.exe: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/regedit.exe: moved to '/home/me/infected/regedit.exe'
/usr/lib32/wine/i386-windows/system.drv16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/system.drv16: moved to '/home/me/infected/system.drv16'
/usr/lib32/wine/i386-windows/wineps16.drv16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/wineps16.drv16: moved to '/home/me/infected/wineps16.drv16'
/usr/lib32/wine/i386-windows/winhelp.exe16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/winhelp.exe16: moved to '/home/me/infected/winhelp.exe16'
/usr/lib32/wine/i386-windows/wing.dll16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/wing.dll16: moved to '/home/me/infected/wing.dll16'
/usr/lib32/wine/i386-windows/winoldap.mod16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/winoldap.mod16: moved to '/home/me/infected/winoldap.mod16'

Hybrid-analysis was fine with almost all of the files except for regedit.exe which succeeded on the Crowdstrike Falcon test but not the Meta Defender test with these results.

Gen:Variant.Razy.884857 (B) is a new one I’ve not seen before. Does anyone know if and how this would affect Linux machines?

I’m also a bit worried because it’s a completely new set of files.

Sorry I do have a screenshot but I wasn’t allowed to embed it. Here’s the metadefender results:

ByteHero Xvirus Personal Guard
AegisLab Vir.IT eXplorer
K7 Kaspersky
TrendMicro House Call Quick Heal
RocketCyber Threat-Generic://Suspicious-Confidence_88 Comodo
Symantec Huorong
Avira Sophos
VirusBlokAda McAfee
Cyren TACHYON
TrendMicro Antiy
Ikarus Emsisoft Gen:Variant.Razy.884857 (B)
NANOAV ESET
Ahnlab BitDefender Gen:Variant.Razy.884857

Similar thread. Didn’t lead to conclusive answer Antivirus, Lots of false positives here?

Quick update, I found another copy of the original 3 files in a backup.

regsvr32.exe returned the following, the other two passed:

ByteHero Xvirus Personal Guard
AegisLab VirusBlokada Unavailable (downloaded)
Vir.IT eXplorer K7
Kaspersky TrendMicro House Call
Quick Heal RocketCyber Threat-Generic://Suspicious-Confidence_93
Comodo Symantec Heur.AdvML.B
Huorong Avira
Zillya! Sophos
McAfee Cyren Unavailable (downloaded)
TACHYON Unavailable (downloaded) TrendMicro
Antiy Nano Unavailable (downloaded)
Ikarus Emsisoft Unavailable (downloaded)
ESET Ahnlab Malware/Win.Generic
BitDefender Gen:Variant.Zusy.385262

Virustotal reports on the first three files:

The regsrv32.exe file is still bad.

https://www.virustotal.com/gui/file/1e3b1221ab86eef582a66426af9f10c0ae8d5c702dd33162f72b934f85940cd4/detection

https://www.virustotal.com/gui/file/c973798f789f59700838f86b2ba1f4e91b4b614e60694b925dc5d94234c6747e/detection

https://www.virustotal.com/gui/file/fd834576ac21b8838aced8848532ea23d0460ee09c9c768218aa36d3478ca17a/detection

@omano Thanks for that link, what did you personally decide to do as a result of that?

Links for virus total for the other files.
https://www.virustotal.com/gui/file/c386d928f8788dd620e45fef1d8ba77d86710b46a7e78d5666e1fbca8888c776/detection
https://www.virustotal.com/gui/file/1ce368458f1fbb002635f598bcf1231c8af5733914ce6ce7c4d42e6b71190691/detection
https://www.virustotal.com/gui/file/a7a43ada7d2b2c554f49c7befa05f67907716609c259b03b09bfc5eb6a1b56c3/detection
https://www.virustotal.com/gui/file/a5a42c7418c68ce7f93eb4d95679e944d9090c654a051396d6f4a3db1c150881/detection
https://www.virustotal.com/gui/file/e6c06262864f72d70f761a5bc24b35b4d0e047b47dddd31f58c19ca0f5d289b3/detection
https://www.virustotal.com/gui/file/73f8e423bd20da72fc0815e8aee47afc714cdf38e01df021e4fc9fe14358b7f4/detection
https://www.virustotal.com/gui/file/172fc2ce7f48a0d2a0b7337379c0e6aff7027ab34a8d43107ff7cc2b9a266bf4/detection
https://www.virustotal.com/gui/file/945462946336ad45ad79a14bc367930b206fa7dec0be318294c75c431883c1eb/detection
https://www.virustotal.com/gui/file-analysis/NjhhZGVhYjY3ZDJjYjFlN2ZlZGZlMjU0NDhjNmI5N2E6MTYyNjgwMjA2Mg==/detection