Solved ramnit - but unusual situation

[Solved] ramnit - but unusual situation

Hello to all - I'm new here. I was impressed by what I've read here. Maybe somebody here can help me. MANY thanks in advance if so!!

Actually I use linux. I also use wine, which is a windows emulation layer, and in that I use windows programs. I have no experience with windows at all.

I installed (windows version) a gui frontend to bootstrap called Mobirise. Normally I check anything before installing but this time I forgot. After installing it I tested it briefly (ran it) then checked it with clamav, which reported:

~/.wine/drive_c/Program Files (x86)/Mobirise/Qt5Core.dll: Win.Trojan.Ramnit-6068 FOUND
~/.wine/drive_c/Program Files (x86)/Mobirise/Qt5WebKit.dll: Win.Trojan.Ramnit-6196 FOUND

Wine doesn't do any kind of sandboxing, so I'm now freaking out, because everything I read about ramnit says it tries to steal things like bank passwords! And that it's particularly dangerous.

Would any of you know whether I'm in any danger?? That is, can ramnit do anything in my special case?

I should add that I never used root privileges when installing Mobirise. Also as soon as I got that clamav report I uninstalled Mobirise, deleted the entire ~/.wine folder then uninstalled wine and reinstalled it. But I just don't know enough to know whether ramnit might have been able to modify/infect anything elsewhere on my drive before I deleted Mobirise.

Thank you so much for any expert advice!!!

 

Thank you. Hopefully it is a false positive. I've been spending hours running every kind of test I think to run and so far it seems likely that it is. But it's hard to be really sure.

 

Thanks a lot for your help . In case it helps anybody else that might run into this I'll outline what happened and what I've done so far.

2 days ago I made that mistake: installed "Mobirise" without first checking it. This **** ramnit (whether real or false positive) has already cost me 2 days and probably today too. Hopefully then it's done. But 2 days ago the problem started.

Unfortunately when clamav first reported 2 instances of ramnit I deleted the downloaded .exe file. That was a bit foolish, but me being a linux user exclusively (and before that only Mac) I have hardly any experience with malware. I really pity you Windows users, having to deal with this **** so often apparently (NOT meant as an insult to windows btw).

So yesterday I again downloaded the exe from the same web site I had gotten it from before and again installed it in "wine" (the windows emulator). Again clamav reported the same 2 instances of ramnit. In the meantime I had learned of virustotal, which I had never heard of before. So I uploaded the new download to that and (whew) it showed all green check marks, meaning no malware detected. So it may well have been a false positive.

Then yesterday I ran every test I could think of, for example comparing md5 hashes of all html, htm, doc, ini and exe files to pre-problem backups and they all showed no changes. I guess if I want to be really paranoid it's conceivable that since I had mounted the backup drive all of them, including the earlier backups, had been modified by ramnit, but how far does one need to go in the direction of paranoia?? It's hard to say!

Also I have checked for ini files in the disks and there aren't any that seemed at all suspicious (that was one of the symptoms I read about ramnit having).

I have also done some limited checks for filenames though I'm about to do more of that now. Names like "desktoplayer" that ramnit seems to use. So far there don't seem to be any and hopefully further checks confirm this.

[update] I've now searched for all the filenames that I got from various reports by various anti-malware companies and nada, so that's good.

Thanks again!!!

 

In case it helps anybody, it turns out that one of those (Qt5Webkit.dll) has been pretty much confirmed to be a false positive and since the other appears to be closely related maybe it's also false(???)

Some info:
https://www.dropboxforum.com/hc/en-us/community/posts/205824835-VIPRE-Antivirus-flags-Qt5Webkit-dll
https://community.spiceworks.com/topic/1177285-vipre-detecting-dropbox-dll-as-rootkit