Shenanigans

A fatal Windows virus case study in Ubuntu !

Scribbled on Friday, January 23rd, 2009

What it takes for a Windows virus to affect a Linux installation ?

No, a Windows virus will fail in most cases. Yeah, it needs just a little loop hole to cause nuisance for even a Linux user. But a Linux system is not that generous to concede to the terms of a vermin. Though it can tolerate a little foul play on behalf of that pesky little Windows virus :p

And now what could be the loop hole for causing this nuisance ?

No wonder ! A Windows virus cannot survive a Linux environment. So you gotta create an artificial Windows environment to allow it to execute and start infecting.

Now there are two ways by which you can have that artificial Windows environment in a Linux system. First is to install Windows in VirtualBox. And the second one is to install WINE, which was the culprit or a catalyst for the inception of infection in my PC.

Good thing is that the virus can only harm that virtual Windows environment and not your Linux System to a state where you think about euthanasia.

Verbatim process of infection

• I got a pen drive from my friend. I always remove viruses from pendrive easily in Linux. Just a Shift+Del enactment.

• But my fingers went twitchy and I pressed Enter key first instead of Shift key. It was “tom and jerry.exe” file which got executed by default using WINE.

• I effin loled dumbfounded. What now ? I was sure that it got executed by WINE. But was relaxed as a virus made for Windows will fail.

• But wtf ! I was terrified when I tried to delete that “tom and jerry.exe” file.

• It got resurrected in a chimerical manner after 1 second. Again I pressed Shift+Del but this time too it got recreated.

• Now the only thing on my mind was to see how much damage it inflicted on my system.

Commencing a search and destroy rescue operation

• First thing to check was the running processes. I found “explorer.exe” in Task Manager. Here it goes smokin dead.

• Tried deleting “tom and jerry.exe” now but it still keep on convalesce. Certainly there were other process running too.

• I scrolled to the bottom of Task Manager and found “RECYCLER.exe”. Obliterated this one too.

• And now deleted “tom and jerry.exe” for the last time. Much ado about deleting…lol.

Which virus was it actually ?

It was infamous W32/Rbot-PR disguised as regsvr.exe. Also popular as “New Folder.exe”. It disables registry editor and task manager. Further it cripples tour system to a slog walk in minutes by replicating itself and using precious RAM. And some other sensitive info could be at stake.

A video I captured of whole process for the interested ones !

• Here is the Mediafire download link to the avi file, I have reduced the quality but still you can see and read text in the video clearly.

Download Avi File

~8.66 MB

Closing disclosure to prevent you from a trip to virusville.

• Of course you can do it !

• Open the pendrive in noexecute mode.

• Open Configuration Editor (gconf-editor). And expand it to “system > storage > vfat”.

• Set exec to noexec by double clicking and editing.

• Note that we have made any FAT partition to be mounted without execution flag. Since pen drives have FAT as partition then this did the trick. Also you can set noexec for other type of filesystems too…like ntfs, udf etc.

• And now for last option change the default open with for exe files to any other program (mucks like gedit will do that job) so that on double clicking it will not open in WINE.

• Thats it, when you now double click on a exe in pen drive it will open in gedit instead of WINE. And that will save you from accidentally executing it.

Just a sidenote, you can set noexec in fstab too, but that will be a bit geeky for average reader. Though it will be relatively easy for an experience one :p Never mind, pick your poison.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.