Once executed, the virus creates the following files:
Once the file badbunny.rb is executed, it checks for write permissions to the following directories:
If it has write permissions, it then renames all the files in the above-mentioned directories in the following format:
[ORIGINAL FILE NAME]_
The virus then copies itself using the original file names.
When the user executes any commands present in the above-mentioned folders, the virus then displays the following message before completing the original command:Title:
Your system has been infected with:
>>> Dropper for Badbunny
>>> by SkyOut
Once the file badbunna.rb is executed, it infects any file in the folder the SB.Badbunny
worm was originally executed with the .rb extension.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":