FS#71561 - Possible Malware in wine-staging.
Attached to Project:
Community Packages
Opened by wz (Wizz) - Tuesday, 20 July 2021, 17:53 GMT
Last edited by Morten Linderud (Foxboron) - Tuesday, 27 July 2021, 20:48 GMT
Opened by wz (Wizz) - Tuesday, 20 July 2021, 17:53 GMT
Last edited by Morten Linderud (Foxboron) - Tuesday, 27 July 2021, 20:48 GMT
|
Details
Description:
Clamav and VirusTotal report malware in some of the files in the wine-staging (6.12.1-1) package. Is there any way to confirm whether these are false positives or not and if they are positive, what I should do next? Pacman also provides some warnings when installing these packages. Additional info: The malware is apparently Win.Packed.Razy-9879251-0 and was added to the clamav virus database on the 17th of July 2021 according to the mailing list. VirusTotal & Hybrid analysis provide different names for them. /usr/lib32/wine/i386-windows/krnl386.exe16: Win.Packed.Razy-9879251-0 FOUND /usr/lib32/wine/i386-windows/mmsystem.dll16: Win.Packed.Razy-9879251-0 FOUND /usr/lib32/wine/i386-windows/rundll.exe16: Win.Packed.Razy-9879251-0 FOUND /usr/lib32/wine/i386-windows/regedit.exe: Win.Packed.Razy-9879251-0 FOUND /usr/lib32/wine/i386-windows/system.drv16: Win.Packed.Razy-9879251-0 FOUND /usr/lib32/wine/i386-windows/wineps16.drv16: Win.Packed.Razy-9879251-0 FOUND /usr/lib32/wine/i386-windows/winhelp.exe16: Win.Packed.Razy-9879251-0 FOUND /usr/lib32/wine/i386-windows/wing.dll16: Win.Packed.Razy-9879251-0 FOUND /usr/lib32/wine/i386-windows/winoldap.mod16: Win.Packed.Razy-9879251-0 FOUND https://www.virustotal.com/gui/file/c386d928f8788dd620e45fef1d8ba77d86710b46a7e78d5666e1fbca8888c776/detection https://www.virustotal.com/gui/file/1ce368458f1fbb002635f598bcf1231c8af5733914ce6ce7c4d42e6b71190691/detection https://www.virustotal.com/gui/file/a7a43ada7d2b2c554f49c7befa05f67907716609c259b03b09bfc5eb6a1b56c3/detection https://www.virustotal.com/gui/file/a5a42c7418c68ce7f93eb4d95679e944d9090c654a051396d6f4a3db1c150881/detection https://www.virustotal.com/gui/file/e6c06262864f72d70f761a5bc24b35b4d0e047b47dddd31f58c19ca0f5d289b3/detection https://www.virustotal.com/gui/file/73f8e423bd20da72fc0815e8aee47afc714cdf38e01df021e4fc9fe14358b7f4/detection https://www.virustotal.com/gui/file/172fc2ce7f48a0d2a0b7337379c0e6aff7027ab34a8d43107ff7cc2b9a266bf4/detection https://www.virustotal.com/gui/file/945462946336ad45ad79a14bc367930b206fa7dec0be318294c75c431883c1eb/detection https://www.virustotal.com/gui/file/5e56f61d3c5718052050104073844c970ce94222098cac631305d6a0d0408d63/detection I've also found similar issues in files elsewhere before using `pacman -S wine-staging`. Sorry I know that isn't all that helpful but I'll list them here just in case they have been flagged before. /usr/lib/wine/x86_64-windows/wineps.drv /usr/lib32/wine/i386-windows/wineps.drv /usr/lib/wine/x86_64-windows/regsvr32.exe /usr/lib32/wine/i386-windows/regsvr32.exe OS etc: Linux <me> 5.10.49-1-MANJARO #1 SMP PREEMPT Sun Jul 11 12:59:43 UTC 2021 x86_64 GNU/Linux Hybrid-analysis results for the potentially most dangerous files is here: https://forum.manjaro.org/t/wine-staging-possible-malware-win-packed-razy-9879251-0/74525/3 Steps to reproduce: sudo pacman -S wine-staging sudo clamscan -r /usr/lib32/wine Thanks loads for your help in advance! |
This task depends upon
Closed by Morten Linderud (Foxboron)
Tuesday, 27 July 2021, 20:48 GMT
Reason for closing: Not a bug
Additional comments about closing: False positives.
Tuesday, 27 July 2021, 20:48 GMT
Reason for closing: Not a bug
Additional comments about closing: False positives.
FS#67474FS#67474. I don't think it's the same issue.The file paths are different and VirusTotal seems to be caught up reporting different potential malware types.
https://www.virustotal.com/gui/file/7477095e37151f90e26d59446bf1527c8b86ebc0e17a052d737396c09949fbbb/detection usr/lib32/wine/i386-windows/regedit.exe built locally in a clean chroot without mingw-w64-gcc
13 detections down to 1 when not using mingw-w64-gcc, see the second comment in
FS#67474by stanczew ( mingw-w64-gcc enables Wine builds in PE format ).Is the last detection definitely just a red herring in this case then?
pacman throws warnings for those specific files but to be honest I don't know enough about how pacman works (or how to find out).
Are these warnings being thrown because those files should exist on disk (and have now been moved/deleted by clamav) or because something is missing from the content downloaded from the repo e.g. signatures/checksums/etc?
[me@me ~]$ sudo pacman -S wine-staging
warning: wine-staging-6.12.1-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...
Packages (1) wine-staging-6.12.1-1
Total Installed Size: 464.68 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n] Y
:: Retrieving packages...
wine-staging-6.12.1-1-x86_64 is up to date
(1/1) checking keys in keyring [######################] 100%
(1/1) checking package integrity [######################] 100%
(1/1) loading package files [######################] 100%
(1/1) checking for file conflicts [######################] 100%
(1/1) checking available disk space [######################] 100%
warning: could not get file information for usr/lib32/wine/i386-windows/krnl386.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/mmsystem.dll16
warning: could not get file information for usr/lib32/wine/i386-windows/regedit.exe
warning: could not get file information for usr/lib32/wine/i386-windows/rundll.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/system.drv16
warning: could not get file information for usr/lib32/wine/i386-windows/wineps16.drv16
warning: could not get file information for usr/lib32/wine/i386-windows/wing.dll16
warning: could not get file information for usr/lib32/wine/i386-windows/winhelp.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/winoldap.mod16
:: Processing package changes...
(1/1) reinstalling wine-staging [######################] 100%
:: Running post-transaction hooks...
(1/5) Registering binary formats...
(2/5) Arming ConditionNeedsUpdate...
(3/5) Updating fontconfig cache...
(4/5) Updating 32-bit fontconfig cache...
(5/5) Updating the desktop file MIME type cache...
67 tools detected no issues with the file. Wine providing compatibility requires it to use the same filenames. The content being different to the Microsoft originals is to be expected.
warning: could not get file information for usr/lib32/wine/i386-windows/krnl386.exe16
pacman could not locate the file at that location in the filesystem. If the file has been moved/deleted this is to be expected.
[1] https://blog.malwarebytes.com/detections/machinelearning-anomalous-100/