OpenOffice macro worm exposes bad bunny

update Sophos has warned users of the multi-platform OpenOffice productivity tool not to open any files named "badbunny.odg" -- which releases a worm exposing users to an image of a man in a bunny suit and a scantily clad woman performing a sexual act in woodland.

update Sophos has warned users of the multi-platform OpenOffice productivity tool not to open any files named "badbunny.odg" -- which releases a worm exposing users to an image of a man in a bunny suit and a scantily clad woman performing a sexual act in woodland.

The macro-based worm, named SB/Badbunny-A, does not appear to pose any threat to infected systems aside from downloading and displaying the pornographic JPEG image. Mark Harris, Director of SophosLabs, wrote on his blog early this week that the sample of the worm "appears to have been sent in by the author(s)".

While the virus has not been seen in the wild, nor is it likely to affect customers, according to Harris, it does expose some holes in the productivity tool as its written in cross platform scripting languages.

Once opened the OpenOffice file (badbunny.odg) launches a macro that behaves in several different ways depending on the user's operating system.

On Windows systems, it drops a file called drop.bad which is moved to the system.ini in the user's mIRC folder, while executing the Javascript virus badbunny.js that replicates to other files in the folder.

On Apple Mac systems, the worm drops one of two Ruby script viruses in files called badbunny.rb and badbunnya.rb.

On Linux systems, the worm drops both badbunny.py as an XChat script and badbunny.pl as a Perl virus.

"This is old-school malware -- seemingly written to show off a proof of concept rather than a serious attempt to spy on and steal from computer users," said Graham Cluley, senior technology consultant for antivirus vendor Sophos.

"A financially motivated hacker would have targeted more widely used software and not incorporated such a bizarre image. This is not a piece of malware which we expect to see spreading in the wild, despite its use of a photograph of unusual wildlife."

Sophos has posted an edited version of the image here.