First OpenOffice virus emerges

First OpenOffice virus emerges

Oh what a sweet sweet day it must be for Microsoft. The first worm specifically targeting the open-source office package OpenOffice has emerged.

It runs on Windows Mac and Linux computers but anti-malware vendor Sophos admits it poses a low threat especially as it’s only a proof-of-concept that hasn’t actually been discovered ‘in the wild’.

Bad bunny: some people have a one-track mind…

The OpenOffice worm uses the inbuilt StarBasic scripting language in the office suite to save scripts to disk in several other languages.

The worm attempts to download and display an indecent JPEG image of a man wearing a bunny suit performing a sexual act in woodland.

The SB/Badbunny-A worm first infects you when you open an OpenOffice Draw file called badbunny.odg. A macro included in the file performs different functions depending on whether you are running Windows MacOS or Linux:

  • Windows: The worm drops a file called drop.bad which is then moved to system.ini in your mIRC folder (if you have one) and also drops and executes badbunny.js which is a JavaScript virus that replicates to other files in the folder.
  • MacOS: The worm drops one of two Ruby script viruses (in files called badbunny.rb or badbunnya.rb).
  • Linux: The worm drops badbunny.py as an XChat script and also drops badbunny.pl which is a tiny Perl virus infecting other Perl files.

The dropped XChat and mIRC scripts are used to replicate and distribute the virus and they initiate DCC transfers to others of the original badbunny.odg OpenOffice file.

Sophos says the worm has not been found ‘in the wild’ but in an odd move was sent to their security labs for analysis directly by the makers. The worm which has not been reported at any customer sites also downloads and displays a pornographic picture of a scantily clad woman with a man dressed as a rabbit.

“The group responsible for writing the BadBunny malware don’t seem to have much confidence in it spreading as they have sent it directly to our labs. The hackers have written plenty of StarBasic malware in the past but the most ‘in the wild’ this one is likely to get is by displaying a picture of a furvert in the woods” said Graham Cluley senior technology consultant for Sophos.

“This is old-school malware – seemingly written to show off a proof of concept rather than a serious attempt to spy on and steal from computer users. A financially motivated hacker would have targeted more widely used software and not incorporated such a bizarre image. This is not a piece of malware which we expect to see spreading in the wild despite its use of a photograph of unusual wildlife.”