Do Wine Viruses only work while Wine is running?

Solution 1:

Do Wine Viruses only work while Wine is running?

Yes, if it is a trojan, rootkit, worm program specifically designed to infect Windows machine.

(Viruses through wine has already happened.)

could I stop a virus from doing it's thing by just quitting Wine?

Yes, and no.

Yes

If It's a Windows virus, kill the Windows Environment(wine), and it won't have a leg to stand on. The Virus is still installed, but its not doing any harm. If you remove wine - to the best of my knowledge - it just removes its binaries. Reinstalling wine later, will show that the applications are still installed.

Removing the ~/.wine folder completely, however, will give some sense of safety. Mind you that if it did not copy it self somewhere else then the ~/.wine folder. In which case, you have a Windows binary somewhere, that possibly can cause harm to your system.

No

If the virus is targeting Linux with Wine environment. Although the chance for you specifically to catch this rare virus is pretty slim, I would still urge you to read an article by the Wine community on how to Secure wine (Links to empty page).

How rare the virus may be, its still advised to secure Wine as much as possible. Especially if your on a business side of things.


My preferred graphical front-end for Wine is PlayOnLinux, with that you have more control over your Wine environment, and there is a separate environment per application. So, if you happened to get infected by using Safari, use the Configuration options to examine and/or restore, or just delete the entire Safari Volume.

PlayOnLinux - Configuration Excerpt image from here: PlayOnLinux Explained: Wine Configuration | GamersOnLinux

Note:

It's a small chance, but, even after securing wine, you still might get infected by a virus or even viruses specifically designed to hack/infect Linux through wine. Just for security reasons, I have installed Malwarebytes, and SuperAntiSpyware. Also note that the custom explorer.exe - or other wine software - created by the wine team, might be considered as malicious by the aforementioned security software.

IMHO: PlayOnLinux is a safer alternative, because you have more control over wine, with the Configuration tools. Whilst installing only wine, installs a Windows environment in your Linux system without any way of monitoring it.

PlayOnLinux doesn't need wine pre-installed. It creates a Wine Prefix(a separate working environment) with wine. Then it will install the software in the separate Wine Prefix. Meaning, the software cannot access other environments. Thus making it harder to infect other parts of Windows software installed in a different Wine Prefix.

Further reading:

  • [Security Feature]: Run Playonlinux/Wine as isolated user. - The forum - PlayOnLinux

  • Another report of malware running on Wine

  • SecuringWine - The Official Wine Wiki

Solution 2:

Maybe. There's no short answer for this.

I'll start by saying your introduction makes it sound like you think Linux can't get viruses (and/or malware). That may just be my inference but it's important to note that malware is just software and you can run bad software on Ubuntu just as easily as on Windows as long as it's compatible. Linux isn't invulnerable.

As for malware running under Wine, if it was literally an active application (like a trojan RAT), stopping Wine (wineserver -k to be sure) would stop it from running.

However... It's comically easy to detect if the environment is Wine. There is little sandboxing between Wine and Ubuntu by default so malware could detect a Wine environment and then could do pretty much anything you can do to your Ubuntu system. That includes running native commands, interfacing with Ubuntu systems, standard local privilage exploit stuff, downloading native malware and scripting into user-based auto-start mechanisms (~/.config/autostart/ et alii) to load itself back up after rebooting.

Is that likely? I don't know. Most Windows malware will probably not bother probing for Wine environments but that's just my hunch. I have no idea whether any such malware exists but either way, with the rise in popularity of Linux, OSX and Wine, I doubt it'll be long before many malware droppers probe their environment. We're only talking a few lines of code for a much better infection.

Solution 3:

I think that the above answers answer the question well, but I would also like to add that running a virus in wine WON'T stop any viruses that access/modify/delete files on the system.

For instance, the dreaded CryptoLocker ransomware will encrypt all your documents, then will demand payment to decrypt them. The virus could still easily access the Z:\ drive and encrypt all your files. (Actually, it wouldn't even need to do that; in wine's virtual C:\ drive, the Desktop, Documents, Downloads, My Pictures, My Music, and My Videos folders are symlinked to the folders in your home directory.) On Windows, CryptoLocker has even been known to encrypt Google Drive files if you have the desktop Google Drive app installed.

(Luckily, if you were infected with CryptoLocker, and it was the original CryptoLocker virus, not one of the numerous clones, you can now decrypt your files for free.)