Experts at Sophos, a world leader in IT security and control,
have announced the discovery of an OpenOffice/StarBasic macro worm
that drops scripts in several other languages. The worm attempts to
download and display an indecent JPEG image of a man wearing a
bunny suit performing a sexual act in woodland.
The SB/Badbunny-A worm first
infects you when you open an OpenOffice Draw file called
badbunny.odg. A macro included in the file performs
different functions depending on whether you are running Windows,
MacOS or Linux.
-
Windows: The worm drops a file called drop.bad
which is then moved to system.ini in your mIRC folder (if
you have one) and also drops and executes badbunny.js
which is a JavaScript virus that replicates to other files in the
folder.
-
MacOS: The worm drops one of two Ruby script viruses (in
files called badbunny.rb or badbunnya.rb)
-
Linux: The worm drops badbunny.py as an XChat
script and also drops badbunny.pl which is a tiny Perl
virus infecting other Perl files.
The dropped XChat and mIRC scripts are used to replicate and
distribute the virus, and they initiate DCC transfers to others of
the original badbunny.odg OpenOffice file.
The worm, which has not been reported at any customer sites,
downloads and displays a pornographic picture of a scantily clad
woman with a man dressed as a rabbit.
A small section of the photograph displayed by
the worm.
"The group responsible for writing the BadBunny malware don't
seem to have much confidence in it spreading as they have sent it
directly to our labs. The hackers have written plenty of StarBasic
malware in the past, but the most 'in the wild' this one is likely
to get is by displaying a picture of a furvert in the woods," said
Graham Cluley,
senior technology consultant for Sophos. "This is old-school
malware - seemingly written to show off a proof of concept rather
than a serious attempt to spy on and steal from computer users. A
financially motivated hacker would have targeted more widely used
software and not incorporated such a bizarre image. This is not a
piece of malware which we expect to see spreading in the wild,
despite its use of a photograph of unusual wildlife."
In May 2006, experts at SophosLabs™, Sophos's global
network of virus, spyware and spam analysis centers, announced the
discovery of the first malware for StarOffice. The Stardust
virus tried to download a picture of porn star Silvia Saint.
Sophos users have been automatically updated to protect against
the BadBunny worm and its components.
Sophos recommends companies automatically update their corporate
virus protection, and defend their users with a consolidated solution to defend against the
threats of viruses, spyware, hackers and spam.