We were contacted tonight by a user who pointed out that several of his friends have had their MySpace profile page modified.
The case looked like simple MySpace phishing, but it wasn't obvious to us how the profiles were modified. After investigating a bit further, it seems that we have a MySpace worm on our hands, using a malicious Quicktime MOV file to spread.
Infected MySpace pages are easy to find. They've had their standard MySpace header replaced with a new one:
The links here do not point to MySpace like they should. Instead they point to four different sites, hosting MySpace look-alike pages:
The final target seems to be to steal MySpace logins in mass quantities.
The infected files are hosted on several different sites, including: www.daviddraftsystem.com, www.tm-group.co.uk, www.cake.fi and almobty.com.
We've seen two different versions of the malicious Quicktime file. We detect them with updates 2006-12-02_01 as JS/Quickspace.A.