McAfee > Theat Center > Virus Detail Page

Overview

-- Update December 4, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.heise-security.co.uk/news/81927
--

JS/QSpace infects profile pages on MySpace by way of an exploit, to insert links which point to a phishing site.  It then sends messages to all the infected users' contacts to spread further.

Aliases

• JS.Qspace (Symantec)

• JS/Quickspace.A (CA)

• JS_QSPACE.A (Trend)

• Worm.Win32.Ofigel.a (Kaspersky)

Characteristics

When an infected profile is viewed, an embedded Quicktime movie is played which takes advantage of an XSS vulnerability within MySpace. The user is directed to an external site which contains a JavaScript file.  This script modifies the user's profile to contain a new navigation bar which points to a phishing site, and embeds the malicious QuickTime movie in the Movie section of the user's Interests.

The JavaScript also modifies the following fields to point to a phishing site:

• Headline
• AboutMe
• LikeToMeet
• General
• Music
• Movies
• Television
• Books
• Heroes

It may also send messages to the infected user's contacts, containing an image and a link to the malicious movie, with one of the following subject lines:

• what else is there to do on a Sunday.?.......
• You better not forget about this..
• Hehe that was so funny..
• better see this one last time lol..
• omg did you see this last nite..
• whos coming to the party tonight.?..

Infected users should make sure to change their passwords and remove references to the malicious sites and movie, from their Interests.

Symptoms

The navigation bar of the infected profile may appear slightly changed, or may appear in a slightly different location, depending on which internet browser is used.  Infected users' Interests fields may also change.

Method of Infection

This worm spreads from one infected MySpace profile to another by viewing the malicious QuickTime movie.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update December 4, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.heise-security.co.uk/news/81927
--

JS/QSpace infects profile pages on MySpace by way of an exploit, to insert links which point to a phishing site.  It then sends messages to all the infected users' contacts to spread further.

Aliases

• JS.Qspace (Symantec)

• JS/Quickspace.A (CA)

• JS_QSPACE.A (Trend)

• Worm.Win32.Ofigel.a (Kaspersky)

Characteristics

Characteristics -

When an infected profile is viewed, an embedded Quicktime movie is played which takes advantage of an XSS vulnerability within MySpace. The user is directed to an external site which contains a JavaScript file.  This script modifies the user's profile to contain a new navigation bar which points to a phishing site, and embeds the malicious QuickTime movie in the Movie section of the user's Interests.

The JavaScript also modifies the following fields to point to a phishing site:

• Headline
• AboutMe
• LikeToMeet
• General
• Music
• Movies
• Television
• Books
• Heroes

It may also send messages to the infected user's contacts, containing an image and a link to the malicious movie, with one of the following subject lines:

• what else is there to do on a Sunday.?.......
• You better not forget about this..
• Hehe that was so funny..
• better see this one last time lol..
• omg did you see this last nite..
• whos coming to the party tonight.?..

Infected users should make sure to change their passwords and remove references to the malicious sites and movie, from their Interests.

Symptoms

Symptoms -

The navigation bar of the infected profile may appear slightly changed, or may appear in a slightly different location, depending on which internet browser is used.  Infected users' Interests fields may also change.

Method of Infection

Method of Infection -

This worm spreads from one infected MySpace profile to another by viewing the malicious QuickTime movie.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A