Ubuntu
wine-development package

Trojan detected in this package on Ubuntu20.04onWindows (i.e. WSL) - report here?

Asked by Jason Morgan

I got the following report from an IT department scan of an old WSL install on my laptop.

Just need to confirm if it came from this PC or it was in the distribution or it is a fake positive.

Is this the correct place to report this even though WSL is distributed by Microsoft?

File in question is
C:\Users\<username>\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu20.04onWindows_79rhkp1fndgsc\LocalState\rootfs\usr\lib\x86_64-linux-gnu\wine-development\ksuser.dll

From https://windows10dll.nirsoft.net/ksuser_dll.html
I can see this DLL is one that may need to be implemented to handle the hardware interface between WSL and Win10, so it is likely that the scanner knows the name but the contents, or it makes low level calls which look but are not suspicious.

Was detected as:
Trojan.Win32.FakeKsUsr.a (v)

By:
VIPER Rescue v7.0.7.8 https://vipre.com/en_gb/support/
The definitions file has two .txt files with
DefVer: 61592, 2017-10-09T05:20:01
CoreVer: 3.9

Which worries me a bit as that means the definitions are 6 years old? Not my problem I am just reporting it.
I've never used this tool before so I guess perhaps it does an online update before it runs.
(Above information from log file)

I can't access the file to get a hash of the release version of this file, but I can pass that information onto our IT.

Regards,
Jay. Qualcomm UK, Cambridge.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu wine-development Edit question
Assignee:
No assignee Edit question
Solved by:
Jason Morgan
Solved:
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

I suggest that you upload the file to https://www.virustotal.com/ for checking with different virus scanners.

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#2

Sounds like a false positive. They do exist. Report as suggested above

Revision history for this message
Jason Morgan (jasomorg) said (last edit ): 		#3

I can't upload it as our IT have quaranteened the file. See last line of post

Even if I still had the file, the act of simply opening the folder that contains it would trigger klaxons.

Our IT would rather re-image the PC than spend time trying to determine if it is a bug in the tools, a false positive in the definition files or an issue with the Ubuntu RFS used in WSL. My post is an attempt to avoid that if at all possible.

So far I've managed to get a stay of execution for the PC by arguing that it is a dll that would never be run by Windows and lives in a sandbox that I can simply not open. Further to that, with that file missing, Wine would probably not work at all.

I've spent quite some time trying to find any mention of a similar incident anywhere and failed. Indeed I can only find one mention of that threat ID and it's totally unrelated. I expect (or hope) this is because crawlers struggle to capture meaningful text from sites using Javascript to render data on the fly within a context. There is no standard way for that to be indexed. Google seems to have turned into a proxy for Discord :(

Back to the point: Rather than re-image I would rather simply scrub that WSL 20.04 RFS install, it is old and I no longer use it. To ensure that proposal is not rejectetd I need some evidence to justify it.

A hash of the genuine file would be good. Except IIRC that release was in the beta of WSL2 so I am not sure even where it came from. Can I be sure of which of MS or Ubuntu put it there? I suspect that file was created before the RFS and WSL were separate installs.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#4

I see "wine-development" as parent directory of that file.
So it seems to be part of the package libwine-development from Ubuntu.

To verify the version on your system, what is the output of the command
dpkg -l | grep wine

By the way, I wonder what the reason is of installing a windows emulator on an Ubuntu system that runs inside Windows.

Revision history for this message
Jason Morgan (jasomorg) said : 		#5

Hi Manfred,

Thanks for the pointer. I will re-post there.

Yes - Windows on Linux on Windows - daft or what?

I needed to run a SMATH Studio, which is written in .NET, hence Mono. At that time there was no standalone Linux version.
I can't run .NET on Windows without going through IT and that was taking too long. Delaying a project. Linux was a workround as it's effectively in a sandbox.
Shortly after IT gave permission and I moved onto 22.04.

I will connect with libwine-dev, here is the result of the version list in case somebody else has the same issue.

$ dpkg -l | grep wine
ii fonts-wine 5.0-3ubuntu1 all Windows API implementation - fonts
ii libwine:amd64 5.0-3ubuntu1 amd64 Windows API implementation - library
ii libwine:i386 5.0-3ubuntu1 i386 Windows API implementation - library
ii libwine-dev:amd64 5.0-3ubuntu1 amd64 Windows API implementation - development files
ii libwine-development:amd64 5.5-3ubuntu1 amd64 Windows API implementation - library
ii libwine-development-dev:amd64 5.5-3ubuntu1 amd64 Windows API implementation - development files
ii wine 5.0-3ubuntu1 all Windows API implementation - standard suite
ii wine-development 5.5-3ubuntu1 all Windows API implementation - standard suite
ii wine32:i386 5.0-3ubuntu1 i386 Windows API implementation - 32-bit binary loader
ii wine64 5.0-3ubuntu1 amd64 Windows API implementation - 64-bit binary loader
ii wine64-development 5.5-3ubuntu1 amd64 Windows API implementation - 64-bit binary loader
ii wine64-development-tools 5.5-3ubuntu1 amd64 Windows API implementation - 64-bit developer tools
ii wine64-tools 5.0-3ubuntu1 amd64 Windows API implementation - 64-bit developer tools

Revision history for this message
Manfred Hampl (m-hampl) said : 		#6

I have uploaded the ksuser.dll file from the libwine-development_5.5-3ubuntu1_amd64.deb package to virustotal and the result is that "No security vendors and no sandboxes flagged this file as malicious"

https://www.virustotal.com/gui/file/c999280f42cfcc23acd9ffc941a11a9752f65d31306a352bbdcbe2df83a1ed04

Remark: I am not 100% sure that this is the same file that you had on your system.