Badbunny Virus/WormThere is a new worm in town, and it is targeting OpenOffice on Windows, Mac OS, and Linux! The SB/Badbunny-A worm infects a computer when a user opens an OpenOffice Draw file called badbunny.odg. Depending on your operating system, the worm will do a variety of things:

  • Windows: The worm drops a file called drop.bad which is then moved to system.ini in your mIRC folder (if you have one) and also drops and executes badbunny.js which is a JavaScript virus that replicates to other files in the folder.
  • MacOS: The worm drops one of two Ruby script viruses (in files called badbunny.rb or badbunnya.rb)
  • Linux: The worm drops as an XChat script and also drops which is a tiny Perl virus infecting other Perl files.

Once active the worm will begin replicating itself using XChat and mIRC, and it will then display a “pornographic picture of a scantily clad woman with a man dressed as a rabbit.” A small portion of the image can be seen to the right.

Sophos said that the group who developed the virus sent it directly to their labs, so they must have had little to no confidence in its ability to spread:

The group responsible for writing the BadBunny malware don’t seem to have much confidence in it spreading as they have sent it directly to our labs. The hackers have written plenty of StarBasic malware in the past, but the most ‘in the wild’ this one is likely to get is by displaying a picture of a furvert in the woods. This is old-school malware – seemingly written to show off a proof of concept rather than a serious attempt to spy on and steal from computer users. A financially motivated hacker would have targeted more widely used software and not incorporated such a bizarre image. This is not a piece of malware which we expect to see spreading in the wild, despite its use of a photograph of unusual wildlife.

From the sounds of it there isn’t much that you have to fear, but it goes to show that OpenOffice users should also be cautious about the files they are opening. We’ll just hope that you don’t see a bunny like the one pictured above. :)

Source: Sophos [via Slashdot]