First OpenOffice Virus, Not In the Wild

NZheretic writes "According to APCmag, the first cross-platform OpenOffice.org virus — 'SB/Badbunny-A' — was emailed directly to Sophos from the virus developers. The proof-of-concept virus affects Windows, Mac OS X, and Linux systems and uses different methods on each. It has not yet been seen in the wild. Despite Sun's OpenOffice.org developer Malte Timmermann's claims to the contrary, this kind of embedded scripting attack represents a real threat to OpenOffice.org users. Back in June 2000 when Sun first announced the open sourcing of OpenOffice.org, the twelfth email to the open discussion list put forward a two-part solution for providing OpenOffice users with Safe(r) Scripting using restricted-mode execution by default and access by signed digital certificates. In October 2000 the issue of treating security as an 'add-on' feature rather than as a 'system property' was again raised. Is it time to now introduce such measures to the OpenOffice.org Core to greatly reduce any future risk from scripted infections?"

Re:The real solution

[saibot834]

The real solution is to be careful wherever you can. Don't open email attachments of an unknown sender. Don't visit untrustworthy websites. Caution is still the best weapon against viruses.

So what's this virus going to do again???

[brunes69]

So I open this OO doc in Linux.... is it going to read my address book and email itself to other people? No, OO does not have access to my Thunderbird address book.

Is it going to infect other binaries in my system? No, they're only writeable by root.

Oh wait this is how it works:

"SB/BadBunny-A spreads by dropping malicious script files that affect the behavior of the popular IRC programs mIRC and X-Chat, causing them send SB/BadBunny-A to other users. These malicious script files are named badbunny.py (for XChat) and script.ini (for mIRC, overwriting the existing mIRC file) and are also detected as SB/BadBunny-A."

So.. this "virus" relies on some twisted assumption that I use XChat, to send itself to other people RUNNING XCHAT, NOT OPEN OFFICE?!?

So tell me again how this is a virus? If I email you a shell script named "Click me.sh" than runs "rm -Rf ~/", is that a virus too?

Re:So what's this virus going to do again???

[mcrbids]

is it going to read my address book and email itself to other people? No, OO does not have access to my Thunderbird address book.

Why not? Ostensibly, OO will run as user YOU, and YOU have access to your Tbird address book, and so would OO. Unless you're running SE Linux like a bat out of hell (most people don't) or have chroot or suid set up. Most *nix users however, don't have this kind of set up.

Re:So what's this virus going to do again???

> So tell me again how this is a virus? If I email you a shell script named "Click me.sh" than runs "rm -Rf ~/", is that a virus too?

No, because it doesn't replicate itself without your assistance. SADBunny is capable of copying itself onto other systems without your knowledge, assuming the right conditions are met. This is what makes it a virus, and not just a simple piece of malware such as what you proposed.

yet another bogus Linux 'virus' story ..

[rs232]

This worm or virus depending on who is saying it, requires Perl, XChat and write and executable access to be able to run. None of which applies to any self respecting Linux users computer. Yet another bogus Linux 'virus' article. Must be a slow day for real news.

"They are attacking the vulnerability of people's brains ", Graham Cluley, Sophos

Re:Virus Name

FTFA

"The worm attempts to download and display an indecent JPEG image of a man wearing a bunny suit performing a sexual act in woodland."

Re:Virus Name

[chill]

SB = StarBasic, because it is written as a StarBasic macro.
-A = First variant. If someone modifies it to do something else, then you'll see -B, -C, etc.

  Charles