Ubuntu – How to remove the brontok virus that has infected the Ubuntu via Wine

command linemalwareremovingwine

My laptop runs on Ubuntu and was recently infected with the brontok virus it managed to infect my Ubuntu – through my flash drive – because I have Wine installed. I had used the USB in an infected Windows computer belonging to someone I know. It creates .exe files in random application folders.

I've found .exe files in the folder for Openshot video editor, Audacity, Wine, it sometimes creates an .exe file in my Desktop folder, it creates the classic Brontok image with the green background in my Pictures folder as an HTML file and if I delete these, they just reappear each time I switch my computer back on.

I can't even name all the folders this worm is making .exe files in. They're all over and deleting doesn't help. A comprehensive guide on how to remove it is appreciated.

Best Answer

I will show you how to delete wine and the virus it self, step by step:

Step One:

Run the following command(s) in your terminal:

This will purge wine from your system:

sudo apt-get purge wine

Step Two:

Just in case apt-get could not delete a Wine .exe file for whatever reason, delete the entire wine folder. It resides in your home folder like so: .wine/

sudo rm -rfv ~/.wine/

Step Three:

To make sure no wine process is still loaded:

sudo reboot

This will reboot your system, without confirmation.

You can run the following command after the reboot to see which .exe process is still loaded:

ps aux | grep .exe

And then force close it:

killall -9 brontok.exe

Make sure you know that the process is malicious.

Step Four:

Run this in your home folder, it will try to find any file that ends with the .exe prefix.

find ~/ -type f -name "*.exe"

Step Five:

The previous find command will display the path of the .exe file(s), delete every .exe file you don't trust. Like so:

sudo rm -f /path/to/maybe-a-virus.exe

Step Six:

Scan with an Antivirus for linux, like clam antivirus. How to install and scan here:

security - How do I scan for viruses with ClamAV? - Ask Ubuntu

Notes:

clamav does not have a large database of Windows viruses compared to the mayor Antivirus Corporations. If you are not a hundred percent convinced of the legality of a file, you can upload it to:

VirusTotal - Free Online Virus, Malware and URL Scanner

At the time of writing, it use 57 anti viruses to scan files. Its still not a hundred percent accurate, but, it is right for about 99% of the time. My personal experience.

Mono names its binaries to .exe, So, not all .exe files you don't know, are harmful. For a list of Linux projects that use mono, see:

Mono (software) - Wikipedia, the free encyclopedia#Software_developed_with_Mono

Here is a quote - my own - that comments about the security benefits from using PlayOnLinux:

"My preferred graphical front-end for Wine is PlayOnLinux, with that you have more control over your Wine environment, and there is a separate environment per application. So, if you happened to get infected by using Safari, use the Configuration options to examine and/or restore, or just delete the entire Safari Volume." - blade19899, malware - Do Wine Viruses only work while Wine is running?

It's a bit safer than using wine.

Step Seven:

After you're absolutely sure that your virus is gone, re-install wine:

sudo apt-get install wine

Links:

Related Solutions

Ubuntu – Remove RECYCLER directory from virus infected flash drive

Ok I gotta clear a couple of things here:

The reverse-engineer part about NTFS does not apply here, especially for a formatted NTFS flash drive. Even if it did that would be something really out of the normal. I have worked with many NTFS formatted Flash drives, formatted in Windows XP, Vista, 7 and 8.

So a problem with the Linux not detecting NTFS correctly is not it. the NTFS-3G proyect is not slow nor incompatible to that level, you can even see that the last update was a couple of months ago this same year. It sure has a couple of issues from time to time like caching support and huge CPU usage, but like I said, for a Flash Drive it would be something very unlikely to happen or would be with a very small chance..
I have had similar problems with Flash drives showing either ????? symbols or simply wrong symbols altogether (EG: !@#%$@%#@ instead of the filename). Some users recommend using ntfsfix or ntfck but if you can't fix them with that run chkdsk on Windows on the drive. The Boot record/filesystem for it might be having some issues.
The owner of the file/folder does not matter as long as he uses sudo. It could be any user but when he uses the sudo command rm will remove it regardless of who owns it. Again this applies to this NTFS formatted Flash drive.
When I first saw the question I was going to ask to run the command as sudo but I read you already did. Then was going to suggest the ntfs repair tools, but you already did. then I saw the Input/output error at the end. That and seeing how the name of the files appeared all messed up simply told me there was an actual filesystem problem which can be corrected only by:
- Using chkdsk on Windows. Neither ntfsfix nor ntfsck will fix a couple of issues that chkdsk can only fix.
- At this moment it does not look like a hardware problem, more likely a filesystem problem. If chkdsk does not work, then the only solution is to format the flash drive again (No need for low level). In the case a simple format does not help (and tested in Windows and gparted), then we are looking at a hardware level problem.

If a virus actually had to do anything with this problem, it would be because it affected/attached to the filesystem table (MFT). This would create problems like seeing parts of the filesystem OK and others BAD. Not seeing files on one system and seeing them in another. Seeing all files or some corrupted (eg:!@#!#!LOL!@#!) and other weird stuff that could happen if the file system table is corrupt. It could be as simple as the virus changing one of the fields in the filesystem table or it could be as horrible as the virus changing the size of the MFT or several files.

Virus aside you should know that if the problem is so bad that you can't format the drive (Fresh filesystem) which would be rare to see a virus do that, then it is more probable that you have a flash drive hardware problem caused by heat, impact, etc..

For the corruption of data on the flash drive, or in any storage unit but especially flash drives, the cause in many cases is removing the unit before all information was correctly saved. This can happen in both, Windows and Linux if a user removes the flash drive without making sure that everything has finished writing and the session for the device is closed.

In the case of Linux you will start getting warnings about read/write operations not permitted in the whole flash drive or files (like movies) missing 50% of more of the whole size (Like a 1.2GB movie weighing only 500MB and everything in it corrupted). fsck can fix this in most cases. In the case of Windows it will show input/output errors and can go as far as corrupting the whole unit because the MFT did not save correctly the info. So it is recommend to either wait for the session to close or use a "safely remove" option when available.

Ubuntu – crond64/tsm virus in Ubuntu

I had the same. The service installed rsync and got some files. I found a dota.tar.gz file in the user folder.

deny port 22 outgoing in firewall (e.g. ufw deny out 22)
pkill -KILL -u kodi ( this kills all running processes of user kodi)
deluser kodi
remove userhome
remove rsync (I didn't use this)
remove /tmp/.mountfs*

Please take note this will probably ruin things for kodi. Instead of removing the whole userhome you can probably only remove dota.tar.gz (if it's there) and the .ttp folder (do not forget to clean the crontab!)

After a reboot I don't see any outgoing connections anymore (check with:

netstat -peanut | grep 22

Infection happened via a user with a weak password (kodi account with the default password maybe?)

Best Answer

Related Solutions

Ubuntu – Remove RECYCLER directory from virus infected flash drive

Ubuntu – crond64/tsm virus in Ubuntu

Related Question