May 23rd, 2007

McAfee yawns at pornographic OpenOffice virus sample

Posted by Ryan Naraine @ 1:10 pm

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Hackers, McAfee, Microsoft, Open source, Patch Watch, Pen testing, Privacy, Rootkits, Spam and Phishing, Spyware and Adware, Symantec, Viruses and Worms, Vulnerability research

Tags: McAfee Inc., OpenOffice, Antivirus, Virus, Ryan Naraine

Anti-virus experts are giving a collective thumbs-down to a proof-of-concept virus targeting OpenOffice and StarOffice, dismissing the creation as a silly publicity stunt.

Sophos, an anti-virus company with headquarters in the U.K., first warned about the “in the wild” BadBunny sample, which infects the target when an OpenOffice Draw file is opened.

A macro included in the file performs different functions depending on whether you are running Windows, MacOS or Linux, Sophos said.

• On Windows, the worm drops a file called drop.bad which is then moved to system.ini in your mIRC folder (if you have one) and also drops and executes badbunny.js which is a JavaScript virus that replicates to other files in the folder.
• On Ma cOS, itworm drops one of two Ruby script viruses (in files called badbunny.rb or badbunnya.rb)
• On Linux, the worm drops badbunny.py as an XChat script and also drops badbunny.pl which is a tiny Perl virus infecting other Perl files.

Sophos said the dropped XChat and mIRC scripts are used to replicate and distribute the virus, and they initiate DCC transfers to others of the original badbunny.odg OpenOffice file.

McAfee researcher Vinoo Thomas has written dismissively about BadBunny:

In all likelihood this virus will not be seen in the wild. Such proof of concepts are written more to show off the so-called elite skills of the author and are usually submitted to AntiVirus vendors by the virus authors to get media attention. Nowadays with all the keen media interest in computer security, all it takes is to add a bell or whistle and a little proof of concept makes headlines.

This virus group had previously released a proof of concept virus targeting StarOffice christened StarOffice/StarDust which downloaded a picture of the porn star Sylvia Saint. In this variant it downloads something on similar lines - a pornographic image of a man dressed as a rabbit making out with a scantily clad woman in the woods. Sigh!

Still, McAfee has released definition updates for the virus, which is programed to launch denial-of-service attacks against a list of anti-virus vendor sites.