Home / malware Worm:JS/Twitime.A
First posted on 01 May 2009.
Source: SecurityHomeAliases :
Worm:JS/Twitime.A is also known as Also Known As:Trojan.Twitter.A (BitDefender), Stalkdaily worm (other).
Explanation :
Worm:JS/Twitime.A is a JavaScript worm that takes advantage of a cross-site scripting (XSS) vulnerability in the social networking site Twitter.com. The worm modifies user account status messages.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The display of any of the following status updates of a user account in the social networking site Twitter.com:
"Dude, www.StalkDaily.com is awesome. What's the fuss?"
"Join www.StalkDaily.com everyone!"
"Woooo, www.StalkDaily.com :)"
"Virus!? What? www.StalkDaily.com is legit!"
"Wow...www.StalkDaily.com"
"@twitter www.StalkDaily.com"
Worm:JS/Twitime.A is a JavaScript worm that takes advantage of a cross-site scripting (XSS) vulnerability in the social networking site Twitter.com. The worm modifies user account status messages.
Installation
In the wild, the JavaScript worm is hosted on a user account on the domain 'uuuq.com'. When activated, a link to the malicious JavaScript worm is inserted into user account pages on the site Twitter.com.Spreads Via…Cross-Site Scripting VulnerabilityThis worm exploits a vulnerability in cross-site scripting. Twitter.com reports having resolved security issues that allowed the worm to spread within the website.
Payload
Modifies User Status MessagesThe worm may modify the affected user's twitter status message to one of the following examples: "Dude, www.StalkDaily.com is awesome. What's the fuss?"
"Join www.StalkDaily.com everyone!"
"Woooo, www.StalkDaily.com :)"
"Virus!? What? www.StalkDaily.com is legit!"
"Wow...www.StalkDaily.com"
"@twitter www.StalkDaily.com" Additional InformationTwitter.com posted information at the following URL:http://status.twitter.com/post/95332007/update-on-stalkdaily-com-worm The text at the site reads as follows:"… we were informed of a malicious site that was spreading links to StalkDaily.com on Twitter without user consent via a cross-site scripting vulnerability. We’ve taken steps to remove the offending updates, and to close the holes that allowed this “worm” to spread. No passwords, phone numbers, or other sensitive information were compromised as part of this attack."
Analysis by Dan KurcLast update 01 May 2009