As predicted: someone made Orkut a living hell by exploiting a XSS flaw in the “scrap” system. Any user, after reading his own scraps — probably the first thing most users do after logging on –, sent an infected scrap to all users in his friend list. The user also automatically joined a community called Infectados pelo VĂrus do Orkut (”Infected by Orkut’s Virus”).
The community has almost 400 000 members at the time of this writing — a very respectful number considering it was achieved in just one day at most (although I believe the attack has been up for just a few hours). It seems, from my observations of the attack, that there was a flaw in the parsing of Flash object insertion, but there’s no guarantee. Google has now taken measures against further spreading of the attack.
The worm does nothing besides spreading and creates no file on the user’s hard drive — it runs in the scope of the user’s browser and Orkut’s website. A truly malicious programmer could have made much more destructive uses of a flaw like this one by using it together with browser exploits that would actually compromise the machines of the victims.