Multi-platform OpenOffice worm discovered

A worm has been released for OpenOffice that is capable of running on multiple operating systems. According to the antivirus manufacturer Sophos the worm, known as "BadBunny", enters a computer as an OpenOffice Draw document with the name "badbunny.odg", which, when opened, displays a figure of a man disguised as a "bunny rabbit" engaging in sexual intercourse. In the background, however, it executes malicious code which is supposedly capable of being run on Windows as well as on Mac OS X and Linux.

BadBunny consists of several components. The core is written in StarBasic, the scripting language for OpenOffice macros, and manipulates IRC chat programs mIRC under Windows, or XChat under OS X and Linux, in order to forward itself to other IRC users. In addition, the worm executes a script with added malicious functions dedicated to the respective operating system. This should enable the worm, among other things, to try to overload and paralyze the websites of many antivirus manufacturers with faulty connection attempts. This component is programmed in JavaScript for Windows, in Ruby for OS X and Perl under Linux.

According to Sophos, BadBunny is a proof of concept program, a simple demonstration of feasibility. The antivirus manufacturer credits the worm to a cracker group that has become known for previous, similar, malicious programs for Sun's commercial OpenOffice equivalent StarOffice. If the BadBunny developers had any financial intentions, they would have selected a more popular software structure and not included bizarre images, Sophos adds. Sophos classifies the distribution of BadBunny as minor.

See also:

• BadBunny seen in "the wild"? OpenOffice multi-platform macro worm discovered, information from Sophos

(mba)