Malware detected in wine installed from Software Manager

[Xenophobe-01]

I originally reported this in the Mint issues at https://github.com/linuxmint/cinnamon/issues/12026 and they advised to report it here.

Distribution Mint 21.2 Cinnamon

Package version 5.8.4

Issue description I have ClamAV setup to do a weekly scan of my drives and it detected the following:

/home/name/.wine/drive_c/windows/system32/winver.exe: Win.Malware.Ulise-10018340-0 FOUND /home/name/.wine/drive_c/windows/syswow64/winver.exe: Win.Malware.Ulise-10018340-0 FOUND

I sent the files in for ClamAV's team to analyze and they confirmed them as threats. I have not used regular wine in a while as steam proton handles my gaming needs.

This is the wine 6.0.3~repack-1 system package in Linux Mint's Software Manager. There have been no updates to this wine version in Update Manager since installation. The detection was Jan 14, 2024.

I uninstalled wine and deleted the .wine folder, ran sudo apt autoremove --purge && sudo apt autoclean, then reinstalled wine from Software Manager to test and ClamAV again flagged these files as malware threats.

Virus Total also has these listed as threats ... https://www.virustotal.com/gui/file/8b81da285744f5829b68a250737ca0c4fcd0933a0ec02e9fcce6e73be24dfbf7

Steps to reproduce Install wine 6.0.3~repack-1 system package from Linux Mint's Software Manager; Setup wine; Run ClamAV to scan the .wine folder.

[LinuxOnTheDesktop]

Should this scary-looking issue should be closed - or acted upon? On the one hand: the other report of the problem (here) is closed. On the other hand, perhaps that issue should not have been closed - and it is unclear just why it was closed.

[Xenophobe-01]

I've since uninstalled the Software Manager version and installed the current stable version from WineHQ, which does not detect as having any potential threats. I leave it to the forum moderators to determine if the potential threat detection in the Software Manager version is still present and whether to close this thread or not.

[mtwebster]

Closing this because:

• This is an Ubuntu package, coming from an Ubuntu server. Mintinstall just glosses over these details because they're irrelevant most of the time. (https://launchpad.net/ubuntu/+source/wine)
• It's based on a source code package from Debian, which pulls updates from Wine (https://salsa.debian.org/wine-team/wine/)
• This package hasn't seen an update since Feb 2022 (so would have to have had the malware since that date).
• Most vendors in that link cleared it, and the behavior tab shows tests that came out clean as well. The ones that did detect something couldn't decide or agree on what it actually is.

Results I scanned when searching "winver.exe" wine malware pretty much agreed this is a false positive.

I installed wine and clamav:

# Show where this file is installed initially. 
$ dpkg -L libwine:amd64 | grep winver
/usr/lib/x86_64-linux-gnu/wine/winver.exe

# Scan
$ clamscan /usr/lib/x86_64-linux-gnu/wine/winver.exe 
/usr/lib/x86_64-linux-gnu/wine/winver.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 8685671
Engine version: 0.103.11
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.07 MB
Data read: 0.07 MB (ratio 1.00:1)
Time: 11.888 sec (0 m 11 s)
Start Date: 2024:02:22 09:53:06
End Date:   2024:02:22 09:53:18

# Run something to generate a ~/.wine folder
$ wine cmd
Microsoft Windows 6.1.7601

Z:\home\mtwebster\.wine>exit

# Note files in .wine folder now:
$ cd .wine
$ find -name  winver.*
./drive_c/windows/syswow64/winver.exe
./drive_c/windows/system32/winver.exe

# Scan these files

$ clamscan drive_c/windows/syswow64/winver.exe 
/home/mtwebster/.wine/drive_c/windows/syswow64/winver.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 8685671
Engine version: 0.103.11
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.07 MB
Data read: 0.07 MB (ratio 1.00:1)
Time: 11.758 sec (0 m 11 s)
Start Date: 2024:02:22 09:53:44
End Date:   2024:02:22 09:53:56
$ clamscan drive_c/windows/system32/winver.exe 
/home/mtwebster/.wine/drive_c/windows/system32/winver.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 8685671
Engine version: 0.103.11
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.07 MB
Data read: 0.07 MB (ratio 1.00:1)
Time: 11.780 sec (0 m 11 s)
Start Date: 2024:02:22 09:54:18
End Date:   2024:02:22 09:54:30

# Are they the same files?

$ cmp .wine/drive_c/windows/syswow64/winver.exe /usr/lib/x86_64-linux-gnu/wine/winver.exe 
.wine/drive_c/windows/syswow64/winver.exe /usr/lib/x86_64-linux-gnu/wine/winver.exe differ: byte 133, line 2
$ cmp .wine/drive_c/windows/system32/winver.exe /usr/lib/i386-linux-gnu/wine/winver.exe 
.wine/drive_c/windows/system32/winver.exe /usr/lib/i386-linux-gnu/wine/winver.exe differ: byte 133, line 2
# Different - what??

# If I compare 64 <-> 32 they are identical.  A wine bug maybe?
$ cmp .wine/drive_c/windows/syswow64/winver.exe /usr/lib/i386-linux-gnu/wine/winver.exe 
$ cmp .wine/drive_c/windows/system32/winver.exe /usr/lib/x86_64-linux-gnu/wine/winver.exe 

So, additionally now:

• The original files check out
• Their user-side copies check out. The fact that it looks like they copy the 32 bit version into the 64 bit user folder sounds like a bug to me, but the files themselves are good

but...

While I was looking around I saw at least one mention of the fact that Windows programs can have their own versions, so if this is true, this may very well be an actual positive, but I'm confident that the ones that are shipped with wine are ok.

Try the last check I did (If I compare 64 <-> 32 they are identical...) - if the cmp command doesn't return anything (which means the files are the same), then I think you're in the clear.

[LinuxOnTheDesktop]

Thank you, @mtwebster , for doing all of that work in the service of security.