The attack starts with a Quicktime file being set in a Profile page. If the user "runs" the file (simply visiting the infected page is enough to trigger the attack in most cases), it uses the HREF function to activate some Javascript.
An HREF track is a particular type of text track that adds interactivity to a QuickTime movie. HREF tracks enclose URLs that can specify movies that replace the current movie, load another frame, or that loads QuickTime Player. They can also include JavaScript functions or Web pages that load a specific browser frame or window.
When this happens, the profile page is "infected" and inserts a fake overlay of options onto the profile page - the most serious of which a fake login button. If your page has been affected, you will see a weird, blue navigation bar such on your page.
If this is the case, you will need to clean out your profile and check if any of your friends have also been infected - if they are, you will continue to be reinfected...most likely via the friends list itself.
There have been reports of users accusing that even when they've removed the fake navigation bar from their page, it comes right back if one of their friends is infected - so it looks like the friends list is being exploited in much the same way the Orkut worm used a similar feature to spread.
Except in this case, the only option to fix the problem is get your friend to remove the infection code from their page, or remove your friend from your list for an indefinite period.
Going back to the fake login, if you enter your details, you have officially been Phished and your details will be used to spam any one of a number of messages including
'what else is there to do on a Sunday.?.......'
'You better not forget about this..'
'Hehe that was so funny..'
'better see this one last time lol..'
'omg did you see this last nite..'
'whos coming to the party tonight.?..'
Users who have been deceived into using the fake domain login also report that the Quicktime movie is arbitrarily embedded into their "about me" and / or "movies" section, thus ensuring the spread of this worm continues (because of course when activated, the HREF function will run the Javascript and overlay the profile page with the fake navigation bar).
Yet - that's not all there is to this scam, because you're not going to go to all this trouble unless there's the chance of making a quick buck at the same time. Alongside with the above messages, what appears to be a moviefile is pasted underneath the text. Of course, it's not a moviefile - it's just a random screenshot (hosted on Imageshack) of a pornographic scene.
Clicking the image will take you to a site called Vidchicks containing numerous Zango videos (including a popunder that shows many more), and the sole purpose of this Phish attack seems to be to drive traffic to this content. Of course, the webmaster will receive money for each piece of Zango Adware installed.
|
