According to security vendor McAfee, one of the profiles on MySpace currently serves up a fraudulent Microsoft security update that, if clicked, attempts to load malicious software. The profile of a 42-year-old woman from Arkansas appears to exist solely for the purpose of infecting visitors. McAfee says that both Microsoft and MySpace have been contacted.
Joris Evers, publicity director at McAfee, says "attackers send unwitting MySpace users a friend request, asking them to become friends with 'Rita.' When the user clicks to see who 'Rita' is they are sent to the profile that serves up malware." The profile page is "overlaid with what looks like a legitimate Windows 'Automatic Updates' pop-up box. Clicking on or near the pop-up results in a request for a file download masked as a Microsoft update called 'updateKB890830.exe' from a server that includes 'winxpupdate.Microsoft' in its name."
As of now the page is still available on the MySpace site. McAfee says its customers are protected. CNET tested ZoneAlarm and a few other security apps that also blocked access to the malicious code.