Mikeyy worm targets Oprah, New York Times and others

Filed Under: Malware, Social networks, Twitter, Vulnerability

A new version of the Mikeyy cross-site scripting worm is spreading extremely rapidly across the Twitter micro-blogging network.

Messages posted by the worm include:

@oprah - sup? welcome to twitter. - mikeyy
@TheEllenShow - hey baby, love me long time? - mikeyy
@nytimes - yep, it's true. - mikeyy
@StephenColbert - you funny. - mikeyy
@aplusk - hey, homo. - mikeyy
@souljaboytellem - your music sucks dude. - mikeyy

Mikeyy Oprah message

The worm appears to be deliberately referencing Twitter users with a very large number of followers (for instance, @aplusk is Hollywood actor Ashton Kutcher who has more than a million followers), presumably with the hope of spreading the infection more quickly.

Compromised accounts appear to have their profiles altered to reference Mikeyy:

Profile affected by new Mikeyy worm

My recommendation? If you are going to click on users' profiles on Twitter right now make sure that your browser is fully patched and that you have scripting turned off using plugins like NoScript for Firefox.

If you suspect you have been affected, clean out your Twitter profile and settings of any content that you did not add yourself, and - although it may not be the case that it has been compromised - consider using a more secure password.

Ironically, this new version of the Mikeyy worm has emerged at the same time as controversy is raging over whether a firm was right to hire the notorious Mikeyy Mooney who admitted writing the original attacks.

As I explained earlier today, one of the reasons why Mikeyy Mooney's abuse of Twitter was so wrong was that it opened the door for other copy-cat attacks. At the moment it is not clear who is responsible for this latest outbreak.

Update: It also appears that the message

I work for exqSoft Solutions now - http://www.exqsoft.com/ - mikeyy

is spreading quickly. Other messages being posted by the worm include:

Twitter, you should be paying me now. - mikeyy
Twitter, do you know about the before_save model callback? - mikeyy
Twitter, BeforeSave: ForEach: DataArray: EscapeHtmlChars!!! - mikeyy
This exploit only affects Internet Explorer users. Thanks. - mikeyy

Please note that we have not verified that you can only be infected if you use Internet Explorer.

Be careful out there.

You can find more information about this attack on the SophosLabs blog.

, , ,

You might like

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.