# Windows virus on my Linux box?

## tactless

About once a week I find these files somewhere inside ~/download, which is the directory I've designated for Firefox (although the files sometimes appear in subdirectories of ~/download). I'm pretty sure they're exactly the same files, and that they're a common temporary-solution-OS (windows) virus. Here's the list:

```
-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 1001 Sex and more.rtf.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 3D Studio Max 6 3dsmax.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 ACDSee 10.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Adobe Photoshop 10 crack.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Adobe Photoshop 10 full.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Adobe Premiere 10.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Ahead Nero 8.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Altkins Diet.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 American Idol.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Arnold Schwarzenegger.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Britney Spears Sexy archive.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Britney Spears Song text archive.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Britney Spears and Eminem porn.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Britney Spears blowjob.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Britney Spears cumshot.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Britney Spears fuck.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Britney Spears full album.mp3.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Britney Spears porn.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Britney Spears.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Britney Spears.mp3.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Britney sex xxx.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Clone DVD 6.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Cloning.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Cracks & Warez Archiv.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Dictionary English 2004 - France.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 DivX 8.0 final.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Doom 3 release 2.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 E-Book Archive2.rtf.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Eminem Poster.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Eminem Sexy archive.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Eminem Song text archive.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Eminem Spears porn.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Eminem blowjob.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Eminem full album.mp3.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Eminem sex xxx.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Eminem.mp3.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Gimp 1.8 Full with Key.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Harry Potter 1-6 book.txt.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Harry Potter 5.mpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Harry Potter all e.book.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Harry Potter e book.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Harry Potter game.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Harry Potter.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 How to hack new.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Internet Explorer 9 setup.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Kazaa Lite 4.0 new.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Kazaa new.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Keygen 4 all new.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Learn Programming 2004.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Lightwave 9 Update.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 MS Service Pack 6.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Magix Video Deluxe 5 beta.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Matrix.mpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Microsoft Office 2003 Crack best.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Microsoft WinXP Crack full.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Norton Antivirus 2005 beta.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Opera 11.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Partitionsmagic 10 beta.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 RFC compilation.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Ringtones.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Ringtones.mp3.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Saddam Hussein.jpg.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Serials edition.txt.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Smashing the stack full.rtf.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Star Office 9.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 The Sims 4 beta.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Ulead Keygen 2004.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Visual Studio Net Crack all.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Win Longhorn re.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 WinAmp 13 full.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 WinXP eBook newest.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Windows 2000 Sourcecode.doc.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Windows 2003 crack.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 Windows XP crack.exe

-rwxr-xr-x    1 tactless users       29569 Apr 23 00:57 XXX hardcore pics.jpg.exe

-rw-r--r--    1 tactless users       29569 Apr 23 00:57 Dark Angels new.pif

-rw-r--r--    1 tactless users       29569 Apr 23 00:57 Full album all.mp3.pif

-rw-r--r--    1 tactless users       29569 Apr 23 00:57 Teen Porn 15.jpg.pif

Best Matrix Screensaver new.scr

Porno Screensaver britney.scr

Screensaver2.scr

netsky source code.scr
```

Any clues?

----------

## adaptr

If this is just your FireFox, then it's either some weird behaviour or someone has found a hole to get into FireFox's download dir.

----------

## tactless

Would kinda make sense, I guess... Firefox DOES work on Windows, and an unsuspecting user would click on these. What would a good location for a log be?

----------

## screwloose

I seriously doubt this has anything to do with Firefox.  Are you sharing this dir via Samba to other machines? Is it shared writeable? I would suspect that this is a windows virus that copies itself to unprotected or weakly protected smb shares.

----------

## manny15

I'm using firefox but haven't run into that problem yet. I did run into something similar on a Windows box though. Programs seemed to just install themselves. Programs such as ad blockers, coupons for who known what, and banners from IE would pop up all the time even when it IE wasn't supposed to be running. Killing IE didn't work, I would just come back. I controlled the banners a BIT by disabling JavaScript and ActiveX and installing firefox for the user.  That's Windows for ya.

You may want to try several things to determine if the files are really getting in there through firefox. See if the files still pile up by NOT running firefox, try something simple like links2 if you can get away with it, or KDE's browser if you've got it installed, opera, something.  Are you using peer-to-peer software like gtk-gnutella and using the ~/download dir for storage? Could it be a samba share? Do a 

```
nmap [your IP here]
```

 to see what ports are open. Then make sure you actually need those ports. Also try 

```
netstat
```

 It will print a list of all sockets currently being used on your system, both Internet and local. Hope this helps  :Smile: 

----------

## tactless

I'm behind a router. I only have the ports for Apache and SSH open on this box. However, it is beginning to sound like SMB... I do have a Windows XP box on my network, and I sometimes move files using SMB. I'll do a search on that box to see if it has these files.

----------

## manny15

SMB could be a problem. I'm using SMB too, but I don't use it much to transfer file into my computer. Is more for printing from the infected Windows box. Oh, my computers a behind a router/firewall too, so apearantly that doesn't keep the beasts from getting in. Because routers are supposed to ignore requests that did not originate from the internal network, I think there's a program within the network acting as a tunnel, allowing the viruses in. But, as long as it doesn't get into my gentoo box, I'm not going to worry about it much  :Smile: 

----------

## robmoss

There are quite a few viruses that transfer themselves via open SMB shares. You'll probably find it's your WinXP box with the virus, and that this directory is an open SMB share.

----------

## HydroSan

I'm willing to bet SAMBA is the culprit. Try looking at the Gentoo Security Guide to fine-tune SAMBA so only people on your network can access it.

----------

## tactless

No, Samba is only available inside the network. None of its ports are NATted in. The directory I was talking about is not a public share, but it is shared as part of my home directory, which I sometimes access. I haven't got a chance to check the other box for virii yet.

----------

## MickKi

What you're describing seems like trojan/malware behaviour running on your Windoze box, not a virus.  Some of these are detected by certain anti-virus products, but you could run http://www.safer-networking.org/index.php?page=home, http://www.jasons-toolbox.com/programs.asp?Program=IRCBot%20Detector, http://s89223352.onlinehome.us/mirror/hjt/, http://www.lavasoft.de/support/download/ and I'm sure you could find other programs on google.  Check relevant newsgroups/forums like http://forums.spywareinfo.com/ for advice on cleaning your machine.

Only to re-iterate what a previous poster said: changing your settings in M$IE and OE so that Java/Active-X scripts are not executed automatically and clicking No on all scripts which you did not ask for,  :Rolling Eyes:   should keep your machine clean most of the times.  Even better, ditch these highly vulnerable M$ applications and use Opera, or Mozilla instead.

What anti-virus are you running on your Windoze machine?

----------

## Psych0

A quick search on Symantec's website for "t1001 Sex and more.rtf.exe" turned up w32.netsky.P

As of March 22, 2004, due to an increase in submission rate, Symantec Security Response has upgraded W32.Netsky.P@mm (also known as W32.Netsky.Q@mm) to a Category 3 level threat from a Category 2 threat.

W32.Netsky.P@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.

The From line of the email is spoofed, and its Subject line and message body of the email vary. The attachment name varies with the .exe, .pif, .scr, or .zip file extension.

This worm also uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

------------------------------------------------------------------------------------------------

Any yes, I'd use anything but Internet Explorer on the Windows box.  IE is an addware / malware / virus magnet like no other.  Either that or spend the money for a good antivirus, and keep Windose and especially IE updated.

Or kill WinDoze and run Linux  :Wink: 

----------

## Megge

I had also Netsky.P on my old Windows XP. It's the predecessor of Sasser and is meant to delete other Viruses like MyDoom and Bagle; unfortunately it floods your system (after all it's still a virus, spread by spam). I think I catched it by mail. All my folders called "downloads" were full of crap like this on your list. I deleted all the infected files and updated Antivir (a german Anti-Virusprog; free for private use). I also use Mailwasher on Windows (i've double-boot), so I can delete unwanted mails before they reach my machine. Until now it seems to work.

----------

