My First Windows Virus!

I can now say that I've propagated a virus! WOOHOO!

Netsky, to be exact (ClamAV calls it SomeFool.Z). I am *so* geeked. You don't understant, we Linux-folk don't get to do some of the finer Windows things, like run SpyWare which sends my credit card and other information to bad-guys, or spread viruses or worms. We're often stuck in the same old "run as expected" mode which, between you and me, can get dull sometimes.

So I'm cleaning up my home directory, getting rid of old Word documents, PDFs and text files which have outlived their usefulness (by several years for some). I click on a text file called "Details.txt" to see if it was safe to delete it. Only after clicking it did I notice the "..." which tells me that the name scrolls out of view. It was actually named "Details.txt .exe" which is a Windows program intended to look like a text-file. I had been analyzing this bad-boy a couple months ago and forgotten to put it where it belongs (in the "malware" directory). DOH!

As configured, my system had started the Windows emulation software known as Wine, and started running the process. I've have tried using Wine to run Windows malware in the past, with very little luck since most the malware uses bugs quirks of the Windows OS not always emulated by Wine. If malware ran at all, it hadn't completed and propagated correctly. Believe it or not, this actually disappointed me, since Wine provides a nifty little analysis environment (emphasis on "little"), which is simple to clean and view all changes. This time, Netsky took hold, dropped it's code in my Wine environment, and started sending email to people it found in my address book! It WORKED!

Alright, you're probably thinking I need to get a life. Truth is, I have an overabundant life, with not enough time in the day to enjoy it all appropriately... but playing with malware is part of it. Sun Tsu, an oriental strategist of old, wisely spoke:

"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." The Art of War by Sun Tzu

So what did I do? Well I burned a CD of course! (for the sake of posterity!)

I was going to link to the ISO of my entire Wine environment, but since it currently has Lotus Notes I would be in violation of copyright laws. Perhaps I will strip out Notes and provide a much smaller ISO in the future.

It apparently dropped "C:\Windows\Jammer2nd.exe" and started sending out the emails. Unfortunately, I was unable to find any registry settings to restart itself. After killing Wine and restarting Notes, I was disappointed (honestly!) to find that it didn't start up. So I guess we can't do *everything* you Windows folks can...

So there you have it, my excitement for the day. Netsky works inside of Wine on LInux! Woohoo! I think I'll go take my medication now :)