How do I remove the brontok virus that has infected my Ubuntu via Wine?

My laptop runs on Ubuntu and was recently infected with the brontok virus it managed to infect my Ubuntu - through my flash drive - because I have Wine installed. I had used the USB in an infected Windows computer belonging to someone I know. It creates .exe files in random application folders.

I've found .exe files in the folder for Openshot video editor, Audacity, Wine, it sometimes creates an .exe file in my Desktop folder, it creates the classic Brontok image with the green background in my Pictures folder as an HTML file and if I delete these, they just reappear each time I switch my computer back on.

I can't even name all the folders this worm is making .exe files in. They're all over and deleting doesn't help. A comprehensive guide on how to remove it is appreciated.


Solution 1:

I will show you how to delete wine and the virus it self, step by step:

Step One:

Run the following command(s) in your terminal:

This will purge wine from your system:

  • sudo apt-get purge wine

Step Two:

Just in case apt-get could not delete a Wine .exe file for whatever reason, delete the entire wine folder. It resides in your home folder like so: .wine/

  • sudo rm -rfv ~/.wine/

Step Three:

To make sure no wine process is still loaded:

  • sudo reboot

This will reboot your system, without confirmation.

You can run the following command after the reboot to see which .exe process is still loaded:

ps aux | grep .exe

And then force close it:

killall -9 brontok.exe

Make sure you know that the process is malicious.

Step Four:

Run this in your home folder, it will try to find any file that ends with the .exe prefix.

  • find ~/ -type f -name "*.exe"

Step Five:

The previous find command will display the path of the .exe file(s), delete every .exe file you don't trust. Like so:

  • sudo rm -f /path/to/maybe-a-virus.exe

Step Six:

Scan with an Antivirus for linux, like clam antivirus. How to install and scan here:

  • security - How do I scan for viruses with ClamAV? - Ask Ubuntu

Notes:

clamav does not have a large database of Windows viruses compared to the mayor Antivirus Corporations. If you are not a hundred percent convinced of the legality of a file, you can upload it to:

  • VirusTotal - Free Online Virus, Malware and URL Scanner

At the time of writing, it use 57 anti viruses to scan files. Its still not a hundred percent accurate, but, it is right for about 99% of the time. My personal experience.

Mono names its binaries to .exe, So, not all .exe files you don't know, are harmful. For a list of Linux projects that use mono, see:

  • Mono (software) - Wikipedia, the free encyclopedia#Software_developed_with_Mono

Here is a quote - my own - that comments about the security benefits from using PlayOnLinux:

"My preferred graphical front-end for Wine is PlayOnLinux, with that you have more control over your Wine environment, and there is a separate environment per application. So, if you happened to get infected by using Safari, use the Configuration options to examine and/or restore, or just delete the entire Safari Volume." - blade19899, malware - Do Wine Viruses only work while Wine is running?

It's a bit safer than using wine.

Step Seven:

After you're absolutely sure that your virus is gone, re-install wine:

sudo apt-get install wine

Links:

  • malware - Do Wine Viruses only work while Wine is running? - Ask Ubuntu

  • VirusTotal - Free Online Virus, Malware and URL Scanner

  • Mono (software) - Wikipedia, the free encyclopedia#Software_developed_with_Mono

  • security - How do I scan for viruses with ClamAV? - Ask Ubuntu