Sophos has posted a blog entry about a cross side-scripting worm that is targeting a facebook-type Chinese website, renren.com. It is detected as W32/PinkRen-A.

The worm exploits an XSS hole in the website, one with the AllowScriptAccess=”always” flash component attribute. This allows “non-malicious” javascript to spread the worm.

It poses as a video of Pink Floyd’s Wish You Were Here music. The first line of the worm is, “/ I’m not a malicious worm.^^;”.

The Okurt worm used the same technique two years ago.

Source: Sophos