OpenOffice Multiplatform Macro Worm Discovered
Experts at Sophos IT security firm discovered an OpenOffice/StarBasic macro worm that drops scripts in several other languages.
The worm attempts to download and display an indecent JPEG image of a man wearing a bunny suit performing a sexual act in woodland.
The SB/Badbunny-A worm first infects you when you open an OpenOffice Draw file called badbunny.odg. A macro included in the file performs different functions depending on whether you are running Windows, MacOS or Linux.
Windows: The worm drops a file called drop.bad which is then moved to system.ini in your mIRC folder (if you have one) and also drops and executes badbunny.js which is a JavaScript virus that replicates to other files in the folder.
MacOS: The worm drops one of two Ruby script viruses (in files called badbunny.rb or badbunnya.rb)
Linux: The worm drops badbunny.py as an XChat script and also drops badbunny.pl which is a tiny Perl virus infecting other Perl files. The dropped XChat and mIRC scripts are used to replicate and distribute the virus, and they initiate DCC transfers to others of the original badbunny.odg OpenOffice file.
The worm, which has not been reported at any customer sites, also downloads and displays a pornographic picture of a scantily clad woman with a man dressed as a rabbit.
Sophos recommends companies automatically update their corporate virus protection.
The SB/Badbunny-A worm first infects you when you open an OpenOffice Draw file called badbunny.odg. A macro included in the file performs different functions depending on whether you are running Windows, MacOS or Linux.
Windows: The worm drops a file called drop.bad which is then moved to system.ini in your mIRC folder (if you have one) and also drops and executes badbunny.js which is a JavaScript virus that replicates to other files in the folder.
MacOS: The worm drops one of two Ruby script viruses (in files called badbunny.rb or badbunnya.rb)
Linux: The worm drops badbunny.py as an XChat script and also drops badbunny.pl which is a tiny Perl virus infecting other Perl files. The dropped XChat and mIRC scripts are used to replicate and distribute the virus, and they initiate DCC transfers to others of the original badbunny.odg OpenOffice file.
The worm, which has not been reported at any customer sites, also downloads and displays a pornographic picture of a scantily clad woman with a man dressed as a rabbit.
Sophos recommends companies automatically update their corporate virus protection.