The social-networking site MySpace.com is under what one computer security analyst calls an "amazingly virulent" attack caused by a worm that steals logon credentials and spreads spam that promotes adware sites.

The worm is infecting MySpace profiles with such efficiency that an informal scan of 150 found that close to a third were infected, said Christopher Boyd, security research manager at FaceTime Communications.

MySpace, owned by News Corp., is estimated to have at least 73 million registered users.

The worm works by using a cross-scripting weakness found around two weeks ago in MySpace and a feature within Apple's QuickTime multimedia player.

The exploit starts with a user who visits a MySpace profile infected with an embedded QuickTime movie. The movie loads JavaScript code that overlays a row of menu options on a MySpace profile with a bogus menu.

A QuickTime function, called the HREF track, can direct the player to use JavaScript commands to load Web pages into a browser frame or window.

The JavaScript feature in QuickTime has legitimate uses, "but there are a lot of legitimate uses for technology that can be misused," said Ross Paul, senior product manager with Websense.

If an option in the bogus menu is clicked, the user is directed to a fake logon page hosted on another server where the person's logon details are captured.

Websense has posted a screenshot of the fake logon page.

MySpace's "seemingly random tendency" to expire user sessions or log out users makes it less noticeable to victims that an attack is under way, according to a Nov. 16 advisory by the Computer Academic Underground.   

The IDG News Service is a Network World affiliate.