StarOffice/BadBunny

This page shows details and results of our analysis on the malware StarOffice/BadBunny

Overview

StarOffice/BadBunny is a mutli-platform macro virus written in StarBasic. It is a proof of concept virus that targeting StarOffice and OpenOffice and exhibits different characteristics depending on the operating system it is executed in. It also attempts to infect JavaScript, Ruby and Perl files.


Minimum DAT

5037 (2007-05-23)

Updated DAT

5037 (2007-05-23)

Minimum Engine

5400.1158

File Length

varies

Description Added

2007-05-23

Description Modified

2007-05-23

Malware Proliferation

Characteristics

 -- Update May 23, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/05/22/badbunny/

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

StarOffice/BadBunny is a mutli-platform macro virus written in StarBasic. It is a proof of concept virus that targeting StarOffice and OpenOffice and exhibits different characteristics depending on the operating system it is executed in. It also attempts to infect JavaScript, Ruby and Perl files.

Upon execution, the macro attempts to download and display a picture  from the following the URL:
http://www.gratisweb.com/bad[Removed]/badbunny.jpg

Drops different additional components depending on the operating system it is executed on:

  • On Windows, it drops a JavaScript file infector named "badbunny.js"
  • On Linux, it drops a file infector written in Perl file named "badbunny.pl"
  • On MacOSX, it drops one of two possible file infectors written in Ruby named "badbunny.rb" and "badbunnya.rb"

Symptoms

If the macro is run from an infected document, it loads http://www.gratisweb.com/bad[Removed]/badbunny.jpg.

Note: The downloaded JPEG file is a pornographic image of a man dressed as a rabbit making out with a scantily clad woman in the woods.

Method of Infection

Worm Component:

Attempt to spread by dropping malicious script files that alter the behavior of IRC clients causing them send a copy of the virus to other users. The following IRC clients are targeted:

  • mIRC
  • X-Chat

Attempts to send large ICMP packets continuously to the following Antivirus vendor sites in a attempt to perform a denial of service:

www.aladdin.com
www.arcabit.com
www.arcabit.pl
www.avast.com
www.avira.com
www.avira.de
www.avira.ro
www.bitdefender.com
www.drweb.com
www.drweb.ru
www.f-secure.com
www.grisoft.cz
www.ikarus.at
www.kaspersky.com
www.kaspersky.pl
www.kaspersky.ru
www.norman.com
www.norman.no
www.pandasoftware.comm
www.proantivirus.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.virusbuster.hu
www.viruslist.com

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants