Badbunny Macro Virus

Original issue date: May 25, 2007

It has been observed that a multi-platform macro virus named Badbunny is affecting various OS platform namely Windows, Linux and MacOS. It is propagating through OpenOffice Draw file badbunny.odg . The virus is a script embedded in file badbunny.odg and does the actions depending upon the host's operating system. It also drops malicious script files to make its propagation via IRC clients mIRC and X-Chat.

Badbunny is a proof-of-concept virus.

Aliases : IRC-Worm.StarOffice.Badbunny.a, SB.Badbunny (Symantec), SB/BadBunny-A (Sophos), StarBasic/Bunbad.A (Computer Associates), Worm.BadBunny.A (BitDefender), Worm/BadBunny.A (Avira), StarOffice/BadBunny [McAfee], VBS_BADBUN.A [Trend]

Upon execution

• It tries to download indecent JPEG images onto compromised PCs from the following website: http://www.gratisweb.com/bad[Removed]/badbunny.jpg
  
  
• On Windows system, it drops the following files on the mentioned locations:
  
  C:\drop.bad
  C:\badbunny.js
  C:\mirc\script.ini
  C:\mirc32\script.ini
  C:\Program Files\mirc\script.ini
  C:\Program Files\mirc32\script.ini

badbunny.js is a JavaScript file infector virus. script.ini is a script file which automatically executed when the mIRC client is started on the infected system and sends copy of the virus to other users via IRC.

• On Linux, it drops a perl file named badbunny.pl which is a perl file infector virus and X-Chat script file badbunny.py on the following locations:
  
  {Linux root folder}/.xchat2/badbunny.py
  {Linux root folder}/BadBunny.pl
  
  
• On Mac OS, it drops file named badbunny.rb / badbunnya.rb which is Ruby file infector virus.
  
  
• It sends large ICMP packets against the following anti-virus sites to cause Distributed Denial of Service (DDoS) attack.

www.ikarus.at
www.aladdin.com
www.norman.no
www.norman.com
www.kaspersky.com
www.kaspersky.ru
www.kaspersky.pl
www.grisoft.cz
www.symantec.com
www.proantivirus.com
www.f-secure.com
www.sophos.com
www.arcabit.pl
www.arcabit.com
www.avira.com
www.avira.de
www.avira.ro
www.avast.com
www.virusbuster.hu
www.trendmicro.com
www.bitdefender.com
www.pandasoftware.comm [sic]
www.drweb.com
www.drweb.ru
www.viruslist.com

Users are advised to implement following countermeasures:

• Keep up-to-date patches and fixes on the operating system
  and application software.
• Keep up-to-date Antivirus and Antispyware signatures.
• Do not visit untrusted websites.

References

http://vil.nai.com/vil/content/v_142297.htm http://sophos.com/security/analyses/sbbadbunnya.html http://www.securityfocus.com/brief/507 http://www.symantec.com/enterprise/security_response/
writeup.jsp?docid=2007-052303-2513-99 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=VBS%5FBADBUN%2EA&VSect=P http://www.theregister.co.uk/2007/05/22/badbunny/ http://www.isc.sans.org/diary.html?storyid=2847

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003