[plug] Windows trojans, you can have them too!

Chris Caston caston at arach.net.au
Sun Apr 18 10:18:10 WST 2004 

On Sun, 2004-04-18 at 01:06, Ryan wrote:
> Howdy PLUG,
> 
> This has been mentioned before on here in passing, but it surprised me
> still, so here goes anyway ...
> 
> I was just playing with Zope, which is irrelevant except for the fact
> that I was scanning my local ports to find what port it had installed
> on.
> 
> I noticed something on port 8081:
> 
> tcp        0      0 localhost:tproxy        *:*                    
> LISTEN     9211/wine-pthread
> 
> The offending process:
> 
> ryan      9211  0.0  0.8 41096 2216 ?        S    Apr12   0:17
> /usr/lib/wine/wine-pthread /tmp/cmb_243461.exe
> 

Did you check it out with clamav?

> That file in /tmp is no longer there btw.
> 
> Going to it in a web browser brings up scantily clad women touting 1902
> phone numbers and access codes telling me to use Internet Explorer.  It
> is only listening on localhost, so I port-forwarded it using ssh to
> listen externally and looked at it with a Windows PC and IE.  Then is
> started trying to download a bunch of stuff and generally be a typical
> Windows menace.
> 
> So there you go, you can get Windows trojans installing themselves via
> Mozilla/Firefox on a Linux box if you have Wine correctly setup :)
> 

You can do the same thing with Evolution when the nice little "Run this
program in WINE" option comes with the attachment.

Scary stuff. Lets not go implementing the Win32 API in the kernel any
time soon... or at least until we have DRM ;-P 
 
> I never thought I had seen much success with Wine on my box, but
> evidently I had it set up enough for a win32 executable to bind to
> interfaces and the like.  As Wine progresses further, I hate to think
> what other automated tasks it will let processes carry out on the
> underlying OS.
> 
> .. back to upholding my newly propagated reputation as a pr0n fiend :P
> 
> Regards,
> 
> Ryan
> 
> _______________________________________________
> PLUG discussion list: plug at plug.linux.org.au
> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
-- 
Linux is ready for the desktop like a Boeing F-22 is ready for the
run-way.

More information about the plug mailing list