Tuesday June 06, 2006

Some information about "stardust"

Currently there are a lot of news about "The first macro virus for StarOffice and OpenOffice.org".

I got the "proof of concept virus" from some antivirus company and looked a little bit deeper into that.

It's a macro in a sxw file, I can't find anything interesting there.
I asked the AV company if that is the "original", they confirmed it.
So I wonder why some news state, that it works in StarOffice 5.2, that file even can't be loaded there...

Summary:

It doesn't act as a virus in any version of StarOffice or OpenOffice.org.

It's even not a valid proof-of-concept!

Details:

1) It doesn't start!

When the file is loaded, the user is asked if to enable macros from this document.
Even if the user choose "yes", there is no auto-start of any macro.

2) It doesn't do anything special

When the user manually starts the macro, the only thing that happens is that an image should be loaded into a new document, and some text is written in the current document.
That's all!

3) No self reproduction

There is some sub routine called "InstallGlobalModule".
It's commented out, but even if you try to activate it, it doesn't work.

Conclusion:

This is not a virus, even not a proof of concept.

OpenOffice.org has a macro language with access to local resources.
Of course this macro language can be used for performing any kind of tasks, that's the intention of it!

Users shouldn't run macros from unknown sources, same like they shouldn't run any programs or other scripts from unknown sources.

Posted by Malte Timmermann ( Jun 06 2006, 10:04:35 PM CEST ) Permalink Comments [1]