Although running Windows applications in Wine has its advantages, it also comes at a price: bringing Windows malware into Linux. I’m aware that it isn’t Wine’s responsibility to distinguish between a malicious and a nonmalicious file, and that Wine shouldn’t have any problem running a malicious file; however, I had this morbid curiosity to see how well today’s malware would fare running on Wine, and so began an experiment using the following setup:

• Ubuntu Linux 8.04 [comes with Gnome desktop environment]
• Wine 1.0 [run as a nonroot user with default settings]

I decided to choose samples that displayed a cocktail of malicious behavior, and so I chose the following:

It’s worth mentioning that the autostart registry key the file infector created will not work under Wine, so applications will not be able to autostart when the Linux machine is booted up. Also, this file infector didn’t seem to infect ELF files. But I’m guessing that a file infector that blindly appends/prepends its code to other files shouldn’t have any problem corrupting ELF files.