NEWS FROM THE LAB - Saturday, December 2, 2006

New MySpace worm using a Quicktime exploit Posted by Mikko @ 20:52 GMT

We were contacted tonight by a user who pointed out that several of his friends have had their MySpace profile page modified.

The case looked like simple MySpace phishing, but it wasn't obvious to us how the profiles were modified. After investigating a bit further, it seems that we have a MySpace worm on our hands, using a malicious Quicktime MOV file to spread.

Infected MySpace pages are easy to find. They've had their standard MySpace header replaced with a new one:


The links here do not point to MySpace like they should. Instead they point to four different sites, hosting MySpace look-alike pages:



When you visit an infected page with IE, an embedded MOV movie file (piAF2iuswo.mov) will be downloaded. The MOV file contains a Javascript snippet that will download a Javascript file (js.js) which will modify YOUR MySpace profile (if you have one). After that, everybody who visits your MySpace profile gets hit too.

The final target seems to be to steal MySpace logins in mass quantities.

The infected files are hosted on several different sites, including:
www.daviddraftsystem.com, www.tm-group.co.uk, www.cake.fi and almobty.com.

We've seen two different versions of the malicious Quicktime file. We detect them with updates 2006-12-02_01 as JS/Quickspace.A.

More on this case from a blog entry at SpywareGuide.