Hello, I setup clamav then sudo freshclam and ran a scan of the /home folder:
me@mabox ~ $ clamscan -i -r /home
/home/me/.wine/drive_c/windows/syswow64/dxdiag.exe: Win.Malware.Ulise-9870721-0 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8660180
Engine version: 1.0.1
Scanned directories: 28394
Scanned files: 287778
Infected files: 10
Total errors: 21
Data scanned: 38577.01 MB
Data read: 60437.70 MB (ratio 0.64:1)
Time: 8339.163 sec (138 m 59 s)
Start Date: 2023:04:04 18:06:53
End Date: 2023:04:04 20:25:52
me@mabox ~ $
Anyone familiar with clamav knows that in heuristic mode, it likes to flag lots of things as being infected that are actually fine. So when it detects something, I like to also scan it with virustotal.com. In most cases, virustotal shows 1 or 2 matches by some obscure anti-virus, and we can be pretty sure the file is fine. But scanning this dxdiag.exe file shows 16/70 detections!
What is going on here? Why are so many AV packages thinking this file is malicious? And why do they not agree on the type of infection?
Just read an article about “AutoHotKey” in Windows-land, after finding it on a customer’s Win PC during a virus scan. This also gives similar hits on virustotal.com. AHK is a legitimate scripting tool which was abused to spread remote-access-tools and other malware. So many anti-viruses are flagging that as suspicious, even though it is a completely legitimate tool. Is something like this happening with wine’s dxdiag.exe? Or is it really (capable of) doing something malicious somehow?
One could assume that in Linux, an .exe file would be limited to damaging only wine / portable-executable files. But that could be a naive assumption; what’s preventing a wine-executed PE from adding a line to ~/.bashrc? I’d rather not find out.
To first clear the common misconception- technically, files run in wine can access your computer and modify anything under ownership of the current user, which is why things like having a specific user to run wine programs come to be, so the assumption that it “can’t” cause harm would be false- however you have to take into account that it isn’t particularly likely that Windows malware will target linux systems. Doesn’t mean they can’t do a quick pass-and-grab for info collection or the likes, though.
That out of the way, I can’t say with any certainty one way or another based on the results from virustotal- not only do very well-rounded software packs like Kapersky, GData, F-Secure and Avast not detect it, but i have gotten as few as 14 and as many as 17 detections, which instills in me even more doubt that it is legitimately malicious if even the software can’t decide.
That said- my standard practice for any security concerns that I can’t verify as false alarms is to quarantine or remove, I’ll take it out of my wine and see if anything shatters.
Edit 1: No problems with any of my wine stuff from deleting the file- that said, YMMV. Also looking into flags on the behavior- it talks to addresses that I believe to be:
-Microsoft Azure cloud servers
-Akamai Tech cloud servers
It also detects it as “emulator:wine” (and Wine Is Not an Emulator weeps.)
It detects 2 UDPs, but they look to be self-referential, so i’m assuming they’re local until proven otherwise.
Hmm. I created a shell script to rename dxdiag.exe and copy notepad.exe in it’s place. Maybe faster than typing everything out manually. Or hopefully someone more skilled makes it autonomous:
#!/bin/env bash
# Tool to rename dxdiag.exe to dxdiag.exe.VIRUS and replace with Notepad.exe
# Superuser is required. Do a sudo find / -name dxdiag.exe to show all of
# the paths where this file resides, then copy/paste those paths as arguments
# to this script.
user="$(logname)"
pthnotepad32='/home/'$user'/.wine/drive_c/windows/system32/notepad.exe'
pthnotepad64='/home/'$user'/.wine/drive_c/windows/syswow64/notepad.exe'
pth=$1
src=''
dst=$pth'dxdiag.exe'
cpy=$pth'dxdiag.exe.VIRUS'
# If no arguments given
if [ $# -ne 1 ]; then
echo 'Path argument missing. Give a path to the offending dxdiag.exe, such as /usr/lib/wine/x86_64-windows/. The ending slash is required!'
exit 1
fi
# If path incorrect
if ! [ -d "$pth" ]; then
echo 'Path argument incorrect. Give a path to the offending dxdiag.exe, such as /usr/lib/wine/. The ending slash is required!'
exit 1
else
echo 'Path is valid, proceeding.'
fi
# If dxdiag.exe doesn't exist at that path
if ! [ -e "$dst" ]; then
echo 'dxdiag.exe not found at that path. Please check your argument again.'
exit 1
else
echo 'dxdiag.exe found at:' "$dst"
fi
# If .VIRUS file already exists
if [ -e "$cpy" ]; then
echo "$cpy" 'exists! Aborting.'
exit 1
else
echo "$cpy" 'does not exist, proceeding.'
fi
# Determine if destination is 32-bit or 64-bit
if [[ $dst == *"32/"* ]]; then
src=$pthnotepad32
echo 'Path determined to be 32-bit. Using:' "$src"
elif [[ $dst == *"64/"* ]]; then
src=$pthnotepad64
echo 'Path determined to be 64-bit. Using:' "$src"
else
src=$pthnotepad32
echo 'Cannot determine bit-ness; using:' "$src"
fi
# src = notepad source file
echo 'src: ' "$src"
# dst = destination dxdiag.exe file
echo 'dst: ' "$dst"
# cpy = destination dxdiag.exe.VIRUS file
echo 'cpy: ' "$cpy"
echo 'sudo mv' "${dst}" "${cpy}"
sudo mv "${dst}" "${cpy}"
echo 'sudo cp' "${src}" "${dst}"
sudo cp "${src}" "${dst}"
# Ensure execute bits are removed
sudo chmod -x "${dst}"
sudo chmod -x "${cpy}"
# And fix ownership
sudo chown "${user}":"${user}" "${dst}"
# such a hack!
