Users who click on the profile of the person trying to befriend them are lead to the individual's page, which is overlaid with a real-looking Windows pop-up box promising automatic Windows updates, McAfee Avert Labs researcher Tad Heppner wrote today on the company blog.
Clicking on that box prompts an executable window requesting users to install the updates - specifically the Microsoft Malware Removal Tool (MSRT) - but it actually leads to "a true malware cocktail," he said. That includes a mixture of trojans, tools that permit remote control of the infected PC and other malware.
Researchers traced the IP address back to an internet service provider in Malaysia.
"Users should beware of friend requests from people they don't know and be cautious when surfing MySpace profiles," Heppner said. "Responsible browsing practices are advised."
Bill Sisk, security response communications manager for Microsoft, told SCMagazineUS.com in an email Monday that it was investigating public reports of the scam and that users should know that the MSRT is only available through Windows or Microsoft updates.
"Users should exercise caution with requests received from unknown sources, or received unexpectedly from known sources," he said.
This is not the first time spoofed Microsoft updates have been circulated in an attempt to drop malicious code on users' machines.
In June, experts said an email claiming to include a cumulative security update for Internet Explorer made the rounds, except it included a link to a malicious executable file on a remote server, which installs a browser add-on to the vicitm's PC.
A MySpace spokeswoman did not return a request for comment.