Myspace Worm Using Quicktime HREF Track

By Jimmy Daniels
Contributing Writer, RealTechNews

And, of course, Zango is involved. I thought they were reforming?

A new and potentially huge worm is making the rounds on Myspace, involving the QuickTime Videos “feature” of allowing JavaScript in QuickTime files, Zango, a spammer pimping his pages, and phishing. Now all we need are a couple goats and some whipped cream.

It begins with a QuickTime file being embedded in a Profile page. If the user “runs” the file (simply visiting the infected page is enough to trigger the attack in most cases), it uses the HREF function to activate some JavaScript.

Allowing JavaScript from a movie file….whoops.

When this happens, the profile page is “infected” and pastes a fake overlay of options onto the profile page - the most serious of which is (of course) the fake login button. If your page has been affected, you will see a strange, blue navigation bar such as this on your page. If this is the case, you will need to clean out your profile and check if any of your friends have also been infected - if they are, you will continue to be reinfected…most likely via the friends list itself. We have seen reports of users complaining that even when they’ve removed the fake navigation bar from their page, it comes right back if one of their friends is infected - so it looks like the friends list is being exploited in much the same way the Orkut worm used a similar feature to spread. Except in this case, the only option to fix the problem is get your friend to remove the infection code from their page, or remove your friend from your list indefinitely.

Going back to the fake login, if you enter your details, you have officially been Phished. Source: Greynet’s Blog

Is that all? Nope, there’s more. Apparently, this spammer is not too bright as he is directing everything to his homepage with the Zango videos.

The url that Fake YouTube video would have been linked to is what gave this douche-bag up: http://google.com/url?q=http://www.vidchicks.com/home.php. That “home.php” simply redirects you to the same url you’d get as a pop-under if you visited any page on Vidchicks.com: http://www.vidchicks.com/popunder.html. And, that popunder.html is simply a landing page being used to get people to install some adware courtesy of Zango. I was able to dig up all kinds of dirt on the webmaster of Vidchicks.com. I’ll get to that in a second.

So, he’s basically just scumming it up in any way that he can. After doing a bit of research on this guy I found that this is his typical behavior.

He goes by a number of different names on webmaster forums because he has a knack for doing shady stuff. If you’re doing business with a guy that goes by the name eLogic or Creepah, I highly suggest that you stop. Those are two of his handles for sure. The eLogic name is used on some forums where he does traffic trades and whatnot. And, he tried to sell Vidchicks.com on DNForum (registration required, DNForum sucks like that) a few weeks back under the name Creepah. Oh yeah, Vidchicks.com is registered under the fake business name of eLogic Inc. Source: GhettoWebmaster.com

We Say: This guy was even using extremetracking.com to track his visitors, and his stats are still available here. Myspace blocked those domains and had the files pulled from them, but you can still use QuickTime files and this worm is spreading again today using different domains. That last blog post estimated that 1/10th of active users have been “phished”, and their accounts are spamming and trying to spread as well. AS of right now, this guy has cleaned up his act a little and is trying to pretend it wasn’t him, at least one of the domains he was using is down and someone has edited the file to let people know it is a phishing attempt and not an actual login.