Malware miscreants have crafted a cross-platform worm targeted at OpenOffice users that's capable of infecting Windows, Mac, and Linux computers.

The OpenOffice/StarBasic macro worm, dubbed BadBunny (http://www.sophos.com/security/analyses/sbbadbunnya.html), is a proof-of-concept worm that's not been seen outside the lab. Most anti-virus firms describe it as a low-risk threat.

OpenOffice users are liable to get infected if they open an OpenOffice Draw file called badbunny.odg. If open, the file downloads and displays a pornographic jpg image of a man dressed as a rabbit making the beast with two backs with a scantily clad woman in a woodland setting.

How very fur-verted.

Meanwhile, a macro included in this payload performs different functions depending on whether victims are running Windows, MacOS, or Linux. On Windows, for example, a JavaScript virus is executed and a mIRC script is run. Linux boxes are infected with a tiny Perl script and an XChat script. Mac OS systems are infected with a Ruby script virus.

The dropped XChat and mIRC scripts are used to replicate in an attempt to distribute the virus. Sections of the code also attempt to knock out access to anti-virus websites.

The malware was writen by the d00mriderz VX team, a group that's written StarOffice malware in the past. The Stardust virus, created by the same group in May 2006, tried to download a picture of porn star Silvia Saint. BadBunny is the most complex sample of such malware to date and the first that attempts to infect multiple system platforms, at least in theory.

"The hackers have written plenty of StarBasic malware in the past, but the most 'in the wild' this one is likely to get is by displaying a picture of a furvert in the woods," said Graham Cluley, senior technology consultant for Sophos.

"This is old-school malware - seemingly written to show off a proof of concept rather than a serious attempt to spy on and steal from computer users. A financially motivated hacker would have targeted more widely used software and not incorporated such a bizarre image." ®

Related stories

OpenOffice update released (28 March 2008)
http://www.theregister.co.uk/2008/03/28/openoffice_update_two_four/
Google and Sun tag team MS Office (15 August 2007)
http://www.theregister.co.uk/2007/08/15/google_pack_offers_free_staroffice/
Malware targets computer forensics tool (18 June 2007)
http://www.theregister.co.uk/2007/06/18/winhex_virus/
10 reasons why the Black Hats have us outgunned (13 June 2007)
http://www.theregister.co.uk/2007/06/13/black_hat_list/
Symbian signing is no protection from spyware (23 May 2007)
http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/
OpenOffice hits back at viral risk claims (15 August 2006)
http://www.theregister.co.uk/2006/08/15/openoffice_viral_risk/
French MoD questions OpenOffice security (20 July 2006)
http://www.theregister.co.uk/2006/07/20/openoffice_france_mod_report/
First StarOffice malware sighted (1 June 2006)
http://www.theregister.co.uk/2006/06/01/stardust/
Anti-virus groups fight over Crossover sharing (6 March 2006)
http://www.theregister.co.uk/2006/03/06/crossover_ruling_angers_industry/
First PocketPC virus found (19 July 2004)
http://www.theregister.co.uk/2004/07/19/pocketpc_virus/