MySpace video has rigged QT file 'worm'
A video on MySpace.com pages changes people's profiles when played, embedding itself and adding links to fraudulent Web sites, according to a new report.
The video is a rigged QuickTime file that exploits a MySpace vulnerability and support for JavaScript in Apple's embedded media player. When played by a MySpace user, the video adds itself to the user's MySpace page and replaces the links on the user's profile with links to phishing Web sites, according to the [url=http://www.websense.com/securitylabs/alerts/alert.php?AlertID=708]Websense site[/url]. Phishing sites are fraudulent sites that attempt to trick people into giving up sensitive information such as log-in credentials.
Here's what Websense says about the worm: "Once a user's MySpace profile is infected (by viewing a malicious embedded QuickTime video), that profile is modified in two ways. The links in the user's page are replaced with links to a phishing site, and a copy of the malicious QuickTime video is embedded into the user's site. Any other users who visit this newly-infected profile may have their own profile infected as well. An infected profile can be identified by the presence of an empty QuickTime video or modified links in the MySpace header section, or both."