The unnamed worm isn't malicious, said Symantec researchers, but the malformed Shockwave Flash (.swf) file containing the payload embeds JavaScript into the profile of any MySpace user who views the .swf file.
"This script code would then be interpreted by any user who visited the site, allowing sensitive data to be stolen, such as a hash value required to carry out operations as a user," said Symantec. Currently, that access is being used only to spread the JavaScript code to other profiles on the popular social network site.
An independent researcher has dissected the .swf file and commented on the code; his analysis is available here.
MySpace, which recently was dubbed the most visited site on the Internet, has been attacked in the past by scripts with similar methods of spreading, Symantec noted.
The Cupertino, Calif. security giant warned that this attack was just a step away from something much more serious, in large part because of the social network's rising popularity.
"If the payload were malicious, such as being used to carry out a secondary attack involving one of the recently discovered patched or unpatched vulnerabilities affecting Microsoft Office content, the impact could [have been] extremely high," Symantec's warning went.
Last week, MySpace was used to spread adware created by Zango, the company formerly known as 180solutions.
